New lesson: Session Management in Practice

[mao-sz]

Because

As part of the Node revamp's 2nd milestone

This PR

• Adds a new lesson discussing TOP-scoped session management comparisons/necessities

Issue

Closes #29735

Pull Request Requirements

• I have thoroughly read and understand The Odin Project curriculum contributing guide
• The title of this PR follows the location of change: brief description of change format, e.g. Intro to HTML and CSS lesson: Fix link text
• The Because section summarizes the reason for this PR
• The This PR section has a bullet point list describing the changes in this PR
• If this PR addresses an open issue, it is linked in the Issue section
• If any lesson files are included in this PR, they have been previewed with the Markdown preview tool to ensure it is formatted correctly
• If any lesson files are included in this PR, they follow the Layout Style Guide

[01zulfi]

lgtm 🚀

[mao-sz]

Holding off on addressing review suggestions while https://discord.com/channels/505093832157691914/1181210153358471168/1390089775846785175 is still up for discussion. Will address accordingly one we know how we wish to proceed.

[mao-sz]

As discussed on Discord, the lesson has now had wording amendments as per review applied, as well as additional content on third-party cookies and reverse proxies, kept within only the scope needed for TOP projects.

If you want to see the code in action, check out https://github.com/mao-sz/test-proxy
Cloudflare Pages does not support reverse proxying to an external domain but Netlify and Vercel do with the appropriate rewrite rules, and Express trusting 1 level of proxy (when hosted on Render).
No CORS setup needed nor any cross-site configuration for requests in client-side code (e.g. credentials: 'include'.

[DrantDumani]

Very minor grammar check. But where you said "(though this is of course sometimes an desirable security feature, like with many banking websites)." should say "sometimes a desirable security feature"

[mao-sz]

Nice catch! Though you're looking at an outdated commit - the latest version has that fixed (fixed in 3e0b841).

There will have been quite a few changes since the commit you had looked at.

[Asartea]

Looks good to me

[Asartea]

One comment: how necessary is http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ ? It's currently giving security warnings because it its lacking a valid certificate; I would prefer to avoid sites which work only over HTTP, especially as HTTPS only mode is becoming more and more common

[mao-sz]

Edit: One another review, I think it's fine to drop the assignment

---

One comment: how necessary is http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ ? It's currently giving security warnings because it its lacking a valid certificate; I would prefer to avoid sites which work only over HTTP, especially as HTTPS only mode is becoming more and more common

Hmmm. I really like that article and how it explains things, but I agree that lacking https sucks. From an outside perspective, how do you feel about the assignment section as a whole? Do you feel it's "complete" without the cryto resource? Or do you feel the cryto resource fills what would otherwise be a gap, and so would benefit from finding an equivalent https resource if possible?