node.js - Authentication & Sessions in express.js/sails.js -

have been working through sails cast tutorials , confused way sessions work.

in tutorial, user marked authenticated in session controller by:

req.session.authenticated = true; req.session.user = user; res.redirect('/'); 

why session being saved in request?! understanding 'req' object in express.js information browser sends server.

shouldn't server save information elsewhere (won't request object deleted when theres request?)

furthermore, somehow application retrieves authentication status object session when templating page ejs:

<% if (session.authenticated) { %> 

why isn't variable set directly?

probably silly question confused @ how logic works , online articles/tutorials aren't helping me understand...

it common practice express middleware (remember, sails built on express) attach properties req object may accessed in later middleware, , controllers. happens behind scenes req object comes in cookie containing session id, , session middleware uses retrieve actual session data datastore (by default, , in-memory store used. super fast , easy development, not recommended deployment), , attaches req object.

regarding value of session.authenticated in ejs, default sails includes req.session in res.locals (accessible in views), value whatever stored in session via controller.