SH
← Back to Blog

Multi-user authentication and route protection

Server-side auth with sessions, per-route access, and HTTP-only cookies.

2026-01-16

Updates

  • Added multi-user login (username + password)
  • Stored sessions server-side
  • Scoped access by route
  • Added middleware checks for protected requests
  • Set secure HTTP-only cookies with random session IDs

Notes

Today was mostly backend structure. I built a small server-side authentication layer with sessions and route-based access control.

It’s a simple setup, but it keeps access control out of the client and makes the routing behavior predictable.


Authentication flow diagram

Auth flow: login creates a server session + cookie, middleware checks access on each request.