Introduction to Sessions with Express (Node.js) and Angular

January 2018

Managing sessions may seem a bit daunting at first. But taking first steps isn't actually that hard. When using Express based on Node.js in the backend, most things are already figured out for you. Still, there a few pitfalls you might want to avoid. This tutorial helps you getting started on the right foot.

First of all, let's see a very simple example application using express and sessions. There's a quite simple one on Tutorialspoint, which looks somewhat like this:

var express = require('express');
var session = require('express-session');

var app = express();

app.use(session({secret: "Shh, its a secret!"}));

app.get('/', function(req, res){
      res.send("You visited this page " + req.session.page_views + " times");
   } else {
      req.session.page_views = 1;
      res.send("Welcome to this page for the first time!");

This is everything you need for working sessions! You'll also notice, that when you open this once in Chrome and once in Firefox, that express-session creates different sessions for different clients.

How does that work? Express generates a cookie, which is sent to the browser together with the response. The browser then attaches this cookie to subsequent requests, which lets express identify a client.

Getting things to work with Angular

Getting things to work with Angular requires an extra step, to how you'd usually send a request. You'll need to have the {withCredentials: true} option present on your requests! If you don't attach this, the cookie won't be sent. So resulting code might look like this:

getLogin() {
    this.http.get(environment.apiUrl + '/login', {
      withCredentials: true  // <=========== important!
    }).subscribe((resp: any) => {;
    }, (errorResp) => {
      this.toastr.error('Oops, something went wrong getting the logged in status')

Another thing you'll need to think of, is CORS (Cross Origin Resource Sharing). Since your backend and frontend will live at different domains / different ports, you'll need to enable CORS in the backend. This can easily be achieved with Express like this:

const cors = require('cors');
      const app = express();
app.use(cors({origin: [
], credentials: true}));

Now everything should be working as expected.


There are some other considerations to be made when working with sessions. This was only an introduction. You should make sure to have the secure option activated in Express. You also shouldn't store the session in application memory, which is the default. So in order to get your system ready for production some extra steps will be required.

We've also made a video about sessions with Express. It goes into more details than the written tutorial above and walks you through building an actual small app with login / logout and sessions with express and Angular 5.

The full code can be found on github:

Dear Devs: You can help Ukraine🇺🇦. I opted for (a) this message and (b) a geo targeted message to Russians coming to this page. If you have a blog, you could do something similar, or you can link to a donations page. If you don't have one, you could think about launching a page with uncensored news and spread it on Russian forums or even Google Review. Or hack some russian servers. Get creative. #StandWithUkraine 🇺🇦
Dear russians🇷🇺. I am a peace loving person from Switzerland🇨🇭. It is without a doubt in my mind, that your president, Vladimir Putin, has started a war that causes death and suffering for Ukrainians🇺🇦 and Russians🇷🇺. Your media is full of lies. Lies about the casualties, about the intentions, about the "Nazi Regime" in Ukraine. Please help to mobilize your people against your leader. I know it's dangerous for you, but it must be done!