Learn how to use `express-session` and implement it in your Express-based application.

Sessions in Express

In order to implement sessions within an Express application, we can use the NPM module, [`express-session`](https://www.npmjs.com/package/express-session), as a middleware. 

Once the session middleware is implemented, each user that navigates to our app will have a unique session generated for them. This allows us to store their session data server-side under a session identifier and easily retrieve it.

We can install the package by running the following command:

```
npm install express-session
```

From here, we import the session module and store it in a variable:

```js
const session = require("express-session")
```

Installing express-session

So far, we have a middleware set up to instantiate sessions and store session data server-side. We should make use of client-side storage so that the user's browser can automatically send over the session identifier with each incoming HTTP request.

In this exercise, we'll tell the client browser to create a cookie that stores the session ID. We will also modify cookie attributes to add a bit of security. We can add a `cookie` property in our session middleware like so:

```js
app.use(
  session({
    secret: "f4z4gs$Gcg",
    cookie: { maxAge: 1000 * 60 *60 * 24, secure: true, sameSite: "none" },
    saveUninitialized: false,
    resave: false,
  })
);
```

Cookies will have a few default properties set, but we can specify them using key-value pairs. The `maxAge` property sets the number of milliseconds until the cookie expires. In this case, we're setting it to expire in 24 hours. We're also providing it with the `secure` attribute so it's only sent to the server via HTTPS. Lastly, we're adding a `sameSite` property and setting it to `"none"` in order to allow a cross-site cookie through different browsers.

Other cookie properties include: 
- `cookie.expires`
- `cookie.httpOnly`
- `cookie.sameSite`


Authentication and Sessions: Cookies

With a session middleware configured, we can now make use of the session and combine it with an authentication process.

On the right, we have a login form that takes a username and password. If a user logs in with the correct credentials, we want to initiate a session. 

We can do this by first looking up the user in our database and then verifying that the password is correct. Once credentials are confirmed, we'll add data to our session.  

 Once the user is logged in we'll add a property, `authenticated` within our session object and assign it to `true`. We'll also set `user` in the session data and assign it the `username` and `password` we received:

```js
// Look up user in database, if found, confirm password:
if (password == "codec@demy10") {
  // Attach an `authenticated` property to our session:
  req.session.authenticated = true;
  // Attach a user object to our session:
  req.session.user= {
    username,
    password,
  }
}
```
> **Note**: we are demonstrating using a hardcoded password. However, in production, you always want to encrypt your password.

Once the user is logged in, their session is created and stored in memory. The properties `authenticated` and `user` will be accessible and changeable as session data.

Sessions and Authentication: Logging In

Now that we have `express-session` installed, we can configure the middleware and implement it in `app.js`. Let's explore a few of the options we can configure:

- `secret`: The `secret` property is a key used for signing and/or encrypting cookies in order to protect our session ID. 

The next two properties determine how often the session object will be saved.

- `resave`: Setting this option to `true` will force a session to be saved back to the session data store, even when no data was modified. Typically, this option should be `false`, but also depends on your session storage strategy.

- `saveUninitialized`: This property is a boolean value. If it's set to `true`, the server will store every new session, even if there are no changes to the session object. This might be useful if we want to keep track of recurring visits from the same browser, but overall, setting this property to `false` allows us to save memory space. 

Once all options are configured we configure the properties for `express-session` like so:

```js
app.use(
  session({
    secret: "D53gxl41G",
    resave: false,
    saveUninitialized: false,
  })
);
```

Note that we are using a hardcoded string of characters for the `secret` property. Usually, this random string should be stored securely in an environment variable, not in the code.

The `resave` and `saveUninitialized` properties are set to false in order to avoid saving or storing unmodified sessions.  With those options put in place, we have the most basic setup of our middleware!

In the next exercise, we will specify where the session data should be stored.


express-session Configuration

Whether you are browsing through an online shop or accessing your bank account online, your user data persisted across page loads thanks to sessions. Without them, every time you reloaded the window you would be logged out or lose your cart!

This lesson is about how to use `express-session` to implement a session. We will try this out on a basic website with a login portal.

Introduction to Sessions in Express

Data in a session is serialized as JSON when stored, so we're able to store and access data in nested objects. Let's say we had saved the number of items in a user's cart in the session data:

```js
req.session.user.cartCount = 2;
```
We can then access it by referring to `req.session.user.cartCount` when we need to display the correct number of items. We can also update its value.

One common use case of session data is to protect specific routes. In the example below, we check that the `authorized` property exists within the session, and if it's set to `true` before we move on to the next route handler.

```js
function authorizedUser(req, res, next) {
  // Check for the authorized property within the session
  if (req.session.authorized) {
    // next middleware function is invoked
    res.next();
  else {
    res.status(403).json({ msg: "You're not authorized to view this page" });
  }
};
```

In the protected route, we can also pass the `user` session object:

```js
app.get("/protected", authorizedUser, (req, res, next) => {
 res.render("protected", { "user": req.session.user });
});
```

NOTE: `res.render()` takes in a view page as the first argument and an object whose properties define local variables for the view as the second argument. 

In the workspace, we have some code that corresponds to the same website from the last exercise. Let's implement the examples from above!

Accessing Session Data

Great job! We've covered the basics of using `express-session` to implement sessions. We've learned:


- How to use `express-sessions` in order to create our own middleware for sessions.

- How certain properties work in the `session` middleware, such as `resave`, and `saveUninitialized`.

- How to configure cookies in the middleware, along with specific properties that help with session security.

- How to store a session in memory

- How to incorporate sessions into an authentication process. 

- How to access and modify session after user is authenticated

If you'd like to experiment more with sessions, we've provided you with the simple application from the last few exercises so you can handle authentication and/or create new properties within a session object. 

To run the application with its full effect, we recommend coding and testing it in your local Node environment. We're attaching a [zipped file of the project here](https://static-assets.codecademy.com/content/paths/web-security/sessions-in-express/sessions-auth-data.zip).

For further information refer to the [main `express-session` documentation](https://www.npmjs.com/package/express-session).

Review

Now that the middleware will create sessions, let's configure how the middleware saves session data.

Sessions are typically stored in three different ways:
- In memory (this is the default storage)
- In a database like MongoDB or MySQL
- A memory cache like Redis or Memcached

Whenever a user makes a request from the same client with a valid session identifier, the server retrieves the valid session information.

`express-session` provides an in-memory store called, `MemoryStore()`. If no other store is specified, then this is set as the default storage. Let's explore how we would add this to the middleware.
 
We can instantiate a new store like so:

```js
const store = new session.MemoryStore();
```

Once instantiated, we can add it in the configuration of our session:

```js
app.use(
  session({
    secret: "secret-key",
    resave: false,
    saveUninitialized: false,
    store,
  })
);
```

> Note: Storing in-memory sessions is something that should be done only during development, NOT during production due to security risks.