Say you’ve logged a user in. Now what?
You can pass that login info back and forth between the server and user’s browser, but that just seems bad, doesn’t it? What if the user tampers with the login ID and poses as someone else?
Oh, I know, you can keep the session info just on the server side. Maybe store it in memory or in a database, and then look it up whenever the user’s session ID is passed back. But does this scale? How much memory do you need and is it worth doing a database lookup on every request?
Another option is to send the login info in the session to the client, but make it tamper-proof. In other words, encrypt it.
Here’s how to do that in nodejs: