Practice & Assessment
Test your understanding of Session-Based Authentication
Multiple Choice Questions
5Why should saveUninitialized: false be set in express-session configuration?
What must happen immediately after a user successfully logs in to prevent session fixation?
What is the main limitation of express-session's default MemoryStore in production?
A user calls POST /logout. The session is destroyed but res.clearCookie is not called. What is the result?
An Express middleware returns res.status(403).json({ error: 'Forbidden' }). What does this tell the client?
Coding Challenges
1Session Auth with Regeneration and Role Middleware
Build an Express app with: express-session configured with httpOnly, secure (env-dependent), sameSite strict; POST /login that authenticates against a hardcoded user array, calls req.session.regenerate before setting session data; POST /logout using req.session.destroy and res.clearCookie; GET /profile protected by a requireAuth middleware that checks req.session.userId; GET /admin protected by a requireRole('admin') middleware. Return 401 for unauthenticated, 403 for wrong role, 200 with user data for success. Input: HTTP requests with session cookies. Output: JSON responses with appropriate status codes. Estimated time: 25-30 minutes.
Mini Project
Multi-User Session Auth API with Redis
Build a full Express session auth API backed by Redis (use a mock/in-memory Redis client like ioredis-mock if Redis is unavailable). Implement: user registration with bcrypt hashing, login with session regeneration, logout with session destroy + cookie clear, GET /me returning current session user, role-based middleware protecting a POST /admin/announce route (admin only). Configure sessions with all security options (httpOnly, secure, sameSite, maxAge: 1 hour). Include an in-memory user store with two pre-seeded users: one regular and one admin. Test all edge cases: unauthenticated access (401), wrong role (403), expired session, double logout.