There's a tendency in modern web development to reach for JWTs by default. But for server-rendered apps with a single backend, session-based auth is simpler, more secure, and easier to reason about.
Express sessions store a session ID in a cookie. The actual session data lives server-side — in memory for development, in a database for production. This means you can invalidate sessions instantly (logout actually works), you don't have to worry about token expiration strategies, and sensitive data never touches the client.
The setup is minimal: express-session with a session store (connect-sqlite3 works great), bcrypt for password hashing, and a simple middleware that checks req.session.userId. That's it.
For the login flow: find the user by username, compare the password hash with bcrypt, and set the session. For protected routes, a middleware checks for the session and redirects to login if it's missing.
The one thing sessions don't handle well is cross-domain auth. If your frontend and backend are on different domains, you'll need CORS configuration and SameSite cookie settings. For same-domain apps, sessions just work.