I tend to use token-based auth, but you can also use cookies to keep your users' sessions..
The principle is the same: hook a "middleware" function into the app, into the request, that checks if the user is logged in.
If yes, usually it will add a 'user' object with more info to the request.
Now, usually you don't do it on your own, something like passport.js is what people would use for this purpose.