How is the express req.session object persisted?

Question

I'm very new to learning Node and Express, and I'm still trying to wrap my head around the code flow with express. Suppose we have code that looks like this in a session.js:

app.post('/session', notLoggedIn, function(req, res) {     User.findOne({         username: req.body.username,          password: req.body.password     }, function (err, user) {         if (err) {             return next(err);         }         if (user) {             req.session.user = user;             res.redirect('/users');         } else {             res.redirect('/session/new');         }     });  }); 

Assuming the User is a required mongo schema. What I find strange is the session.user assignment:

req.session.user = user; 

Since the req variable will be out of scope after the redirect, but we're obviously doing this to persist the user data, I'm left with figuring out which of the following scenarios describe what is happening. Either (A) the argument that's being assigned to the req parameter (when the callback is called) is stored/somewhere still on the stack, (B) the session is stored/on the stack and being assigned to a new req object before it's passed in to the callback, or (C) the same as B, but on the user field (seems unlikely and maybe contrived on my part).

Answer 1

There's an overall session data structure that stores all session info for all users (like a global, but it could also be in a database - just something that is persistent at least across connections). Each client's session data uses one unique key to index into the session store to get the session data for that client.

Part of establishing a session for a given browser client is creating a unique client key (which will usually be stored in a cookie) that becomes the index into the global session object.

On an incoming http request, Express middleware that supports the session checks a particular client cookie and if that particular cookie is found on the http request and is found in the global session object/database, then it adds that session's stored info to the request object for the http request handler to later use.

So, here's a typical sequence:

1. Incoming HTTP request.
2. Middleware checks for session cookie.
3. If session cookie not there, then create one and, in the process created a unique id to identify this http client.
4. In the persistent session store, initialize the session for this new client.
5. If session cookie is there, then look in the session store for the session data for this client and add that data to the request object.
6. End of session middleware processing
7. Later on in the Express processing of this http request, it gets to a matching request handler. The session data from the session store for this particular http client is already attached to the request object and available for the request handler to use.

Answer 2

I think the accepted answer misses one crucial detail, which was surfaced by @jpaddison3: "Express-session hooks res.end() to see when the request is done and then it updates the session store if needed."

Basically, when you add the expression-session middleware, it wraps res.end() so that the new session information is saved just before the stream is closed.