User authentication
It seems so natural to log in to a website to use its services. We do it everyday, and even trust our banking and investments organizations with the information accessed, by logging in to websites. But HTTP is a stateless protocol, and a web server or a web application cannot tell much about one HTTP request versus another. Because HTTP is stateless, that means HTTP requests do not natively carry state , such as whether the user driving the web browser is logged in, their identity, or even whether the HTTP request was initiated by a human being.
The typical method for user authentication is to send a cookie, containing a token that carries user identity, to the browser. The cookie needs to contain data identifying the browser, and whether that browser is logged in. The cookie will then be sent with every request, letting the application track which user account is associated with the browser.
With Express and Connect, the best way to do this is with the session
middleware...