Not specifically about the web, but Cryptography Engineering: Design Principles and Practical Applications is my favorite book on the subject. It's not a thorough treatment of the subject of security, but it shows how much care needs to be given to such systems and why security is hard in general. Throughout the book you will find plenty of advice on how to approach such problems, even for the web.
1. All You Ever Wanted to Know About Sessions In Node.js (Stormpath) - https://stormpath.com/blog/everything-you-ever-wanted-to-kno...
2. Express.js Production Best Practices - https://expressjs.com/en/advanced/best-practice-security.htm...
3. express-session (npm module) - https://ewiggin.gitbooks.io/expressjs-middleware/content/exp...
4. Node.js authentication strategy using Passport.js and Redis - https://blog.risingstack.com/node-hero-node-js-authenticatio...
For JSON Web Tokens:
1. JWT Handbook: https://auth0.com/e-books/jwt-handbook
2. IETF Specification: https://tools.ietf.org/html/rfc7519
3. https://jwt.io/
4. Authentication in React Applications, Part 2: JSON Web Tokens - https://vladimirponomarev.com/blog/authentication-in-react-a...
6. Token Authentication Implementation - https://docs.docker.com/registry/spec/auth/jwt/
7. JWT Validation and Authorization in ASP.NET Core - https://blogs.msdn.microsoft.com/webdev/2017/04/06/jwt-valid...