For some context: I'm trying to make a basic login system. At the moment, signing up works with no problems. Logging in also seems to be okay, it makes a connection with the database properly - however, the big problem is that the login itself is not saved/recognized. I see no cookie or anything else that would indicate that the server is recognizing the login. I'm working in NodeJS, and the backend is hosted on my VPS (running Ubuntu). Trying to get some advice from ChatGPT didn't really help out unfortunately. I have two endpoints mainly used for logging in. One is called api/login and the other is api/auth-check. api/login returns a 200 OK, with the response of {"success":true}. api/auth-check on the other hand returns a 304 not modified, and returns a {"loggedIn":false}. I made sure to check in my frontend code that any fetch being done towards api/auth-check and api/login includes credentials: 'include'.

The reason why I need a session/cookie and for the server to remember the login is because I want to make the login & signup buttons disappear when a user logs in, and instead display "logout" and some other text. It also has to do with some other logic that I'm doing on the site which requires the user to be logged in to perform certain functions/tasks.

Here's how my current backend looks like for my api/login:

app.post('/api/login', async (req, res) => {
  try {
    const { email, password } = req.body;
    if (!email || !password) {
      return res.status(400).json({ error: 'Missing email or password' });
    }

    
    const [rows] = await db.query(
      'SELECT user_id, password FROM users WHERE email = ?',
      [email]
    );

    if (!rows.length) {
      return res.status(401).json({ error: 'Invalid email or password' });
    }

    const user = rows[0];

    if (user.password !== password) {
      return res.status(401).json({ error: 'Invalid email or password' });
    }

    req.session.userId = user.id;
    return res.json({ success: true });

  } catch (error) {
    console.error('Login error:', error);
    return res.status(500).json({ error: 'Server error' });
  }
});

And here is my api/auth-check:

app.get('/api/auth-check', async (req, res) => {
  if (!req.session.userId) {
    return res.json({ loggedIn: false });
  }

  try {
    const [rows] = await db.query(
      'SELECT email FROM users WHERE user_id = ?',
      [req.session.userId]
    );

    if (!rows.length) {
      return res.json({ loggedIn: false });
    }

    return res.json({
      loggedIn: true,
      email: rows[0].email,
    });

  } catch (error) {
    console.error('Auth check error:', error);
    return res.status(500).json({ error: 'Server error' });
  }
});

For some context: I'm trying to make a basic login system. At the moment, signing up works with no problems. Logging in also seems to be okay, it makes a connection with the database properly - however, the big problem is that the login itself is not saved/recognized. I see no cookie or anything else that would indicate that the server is recognizing the login. I'm working in NodeJS, and the backend is hosted on my VPS (running Ubuntu). Trying to get some advice from ChatGPT didn't really help out unfortunately. I have two endpoints mainly used for logging in. One is called api/login and the other is api/auth-check. api/login returns a 200 OK, with the response of {"success":true}. api/auth-check on the other hand returns a 304 not modified, and returns a {"loggedIn":false}. I made sure to check in my frontend code that any fetch being done towards api/auth-check and api/login includes credentials: 'include'.

The reason why I need a session/cookie and for the server to remember the login is because I want to make the login & signup buttons disappear when a user logs in, and instead display "logout" and some other text. It also has to do with some other logic that I'm doing on the site which requires the user to be logged in to perform certain functions/tasks.

Here's how my current backend looks like for my api/login:

app.post('/api/login', async (req, res) => {
  try {
    const { email, password } = req.body;
    if (!email || !password) {
      return res.status(400).json({ error: 'Missing email or password' });
    }

    
    const [rows] = await db.query(
      'SELECT user_id, password FROM users WHERE email = ?',
      [email]
    );

    if (!rows.length) {
      return res.status(401).json({ error: 'Invalid email or password' });
    }

    const user = rows[0];

    if (user.password !== password) {
      return res.status(401).json({ error: 'Invalid email or password' });
    }

    req.session.userId = user.id;
    return res.json({ success: true });

  } catch (error) {
    console.error('Login error:', error);
    return res.status(500).json({ error: 'Server error' });
  }
});

And here is my api/auth-check:

app.get('/api/auth-check', async (req, res) => {
  if (!req.session.userId) {
    return res.json({ loggedIn: false });
  }

  try {
    const [rows] = await db.query(
      'SELECT email FROM users WHERE user_id = ?',
      [req.session.userId]
    );

    if (!rows.length) {
      return res.json({ loggedIn: false });
    }

    return res.json({
      loggedIn: true,
      email: rows[0].email,
    });

  } catch (error) {
    console.error('Auth check error:', error);
    return res.status(500).json({ error: 'Server error' });
  }
});

• javascript
• node.js
• frontend
• backend
• web-development-server

Share Improve this question Follow edited Mar 20 at 21:37 phoenix56 asked Mar 20 at 20:28 phoenix56phoenix56 322 bronze badges 2

• You should edit your question and add more details, such as code and so on. How to ask? – Teyrox Commented Mar 20 at 21:13
• I added some useful code snippets from my code. – phoenix56 Commented Mar 20 at 21:38

Add a comment  | 

3 Answers 3

Sorted by: Reset to default 0

The most likely reason your session isn’t being saved or recognized is because you didn’t configure or use express-session properly on your backend.

Even though you're assigning req.session.userId, that won’t persist unless you have this middleware set up:

const session = require('express-session');

app.use(session({
  secret: 'your-secret-key',
  resave: false,
  saveUninitialized: false,
  cookie: {
    secure: false, // set to true if using HTTPS
    httpOnly: true,
    sameSite: 'lax',
  }
}));

And your frontend is sending cookies correctly, you're doing this right:

fetch('/api/login', {
  method: 'POST',
  credentials: 'include',
  ...
});

Also check if you’re not missing app.use(express.json()) or express.urlencoded() before your routes.

Your user.id exists (req.session.userId = user.id) but your DB returns user_id, so this might be undefined! Replace with:

req.session.userId = user.user_id;

well, I don't know how express.js works, but from what I'm seeing there are two things:

— first: you should add a middleware to return a session with a cookie.

— second: I don't see any cookies being sent or saved in the api/login.

i don't know much about Relational (SQL) and session in express.js to set/send a cookie after you validation checks in your logging logic are successful before return res.json({ success: true }); do this

res.cookie("name","value",option)
// code explanation down below 

1. name = the name of the cookie (e.g auth, accessToken).
2. value = what the cookie will hold (e.g jwt token, username, userId).
3. option = an Object containing info that tells the browser what and how to handle the cookie (e.g {httpOnly: true, secure: true, maxAge:"time in milliseconds"} and more.

and to verify if the user is login you will create a middleware to verify if a user is login whenever they try to access a protected route/endpoint.

if this is helpful please do let me know or if you have been able to solve the issue before now do let me know (!Note you can google or search youtube)