Q1. What is session management in Express?
Sessions allow you to store user-specific data across multiple requests. Unlike cookies (stored client-side), session data is stored on the server. A session ID is sent to the client via cookie, and the server uses this ID to retrieve the session data.
Q2. How do you implement sessions in Express?
Use express-session middleware. Install it, then: app.use(session({ secret: 'your-secret', resave: false, saveUninitialized: true, cookie: { secure: false } })); Then session data is available on req.session. Example: req.session.userId = user.id.
Q3. What do session options like secret, resave, and saveUninitialized mean?
secret is used to sign the session ID cookie. resave: false prevents saving session if it wasn't modified. saveUninitialized: false prevents saving empty sessions (useful for login pages). cookie options control the session cookie behavior.
Q4. Where is session data stored by default?
By default, express-session uses MemoryStore, which stores sessions in server memory. This is not suitable for production because it doesn't scale and leaks memory. In production, use database stores like connect-mongo (for MongoDB) or connect-redis.
Q5. How do you destroy a session (logout)?
Use req.session.destroy() method. Example: req.session.destroy((err) => { if(err) {...} else { res.redirect('/') } }). This removes the session data and clears the session cookie.