In this project, we implemented and understood different authentication mechanisms from first principles using Node.js, Express, and middleware.
We explored how identity is verified between a client and server, and how different approaches handle authentication.
- Credentials (username & password) are sent in every request.
- Encoded in Base64 and passed via the
Authorizationheader. - Server decodes and validates the user on each request.
👉 Problem: Not secure and inefficient (credentials sent repeatedly)
- Server creates a session after successful login.
- A session ID is sent to the client via cookies (
connect.sid). - Browser automatically sends this cookie in future requests.
- Server verifies session and grants access.
/session/login→ creates session/session/check→ protected route/session/logout→ destroys session and clears cookie
👉 Insight: Server stores user state (stateful)
- Server generates a token after login using
jsonwebtoken. - Token is sent to client and stored (usually in localStorage or memory).
- Client sends token in
Authorizationheader for each request. - Server verifies token without storing session data.
/jwt/login→ generates token/jwt/check→ verifies token usingjwt.verify()
👉 Insight: Stateless authentication (no server memory)
| Feature | Session Auth | JWT Auth |
|---|---|---|
| Storage | Server | Client |
| State | Stateful | Stateless |
| Logout | Server destroys session | Client removes token |
| Scalability | Limited | High |
- Authentication is about proving identity.
- Sessions = server remembers you.
- JWT = you prove yourself every time.
- Logout behavior differs based on architecture.
- Understanding flow > memorizing code.
- Node.js
- Express.js
- express-session
- jsonwebtoken
- morgan (logging)
Code implementation: :contentReference[oaicite:0]{index=0}