Practice & Assessment
Test your understanding of Session-Based Authentication
Multiple Choice Questions
5Why must you call req.session.regenerate() immediately after a user logs in?
What is the main problem with using the default MemoryStore for sessions in production?
Which express-session option prevents empty sessions from being persisted to the store?
A login endpoint returns 'User not found' for unknown emails and 'Wrong password' for known emails with bad passwords. What attack does this enable?
What does setting cookie.sameSite: 'lax' on a session cookie protect against?
Coding Challenges
1Implement a full session-based login system
Build an Express app with three routes: POST /auth/register (accepts email and password, hashes the password with bcrypt, stores user in a plain JavaScript object as a mock database), POST /auth/login (verifies credentials, regenerates session, stores userId), and GET /profile (protected route, returns userId from session or 401 if not logged in). No real database required — use a module-level object. Input: JSON body with email and password. Output: JSON responses with appropriate status codes. Constraint: session must regenerate on login, cookies must be httpOnly. Estimated time: 25–30 minutes.
Mini Project
Persistent Session Auth with PostgreSQL Store
Build a complete session-based auth system backed by PostgreSQL. Implement: user registration (email + password, bcrypt, store in users table), login (verify credentials, regenerate session, store in pg session table), logout (destroy session, clear cookie), a protected /me route returning current user info, and a remember-me option that sets a 30-day maxAge. All session config options must be production-safe (httpOnly, secure, sameSite). Test all routes with curl or Postman and include the test commands in a README.