If you're building a REST system, it is by definition stateless, so session isn't something you directly manage.
Putting that aside for the moment, I'll assume.e you mean just that requests should be authenticated and that you want to know who the user is to authorize whatever action they're taking.
In that case, you have three general approaches to take.
1) keep some form of in-memory session store with a cookie (or other secret, like a URL token) passed to act as the key for the request. This scales poorly, as each worker in your cluster has its own memory space.
2) DB lookup of the user in every request by either passing credentials or (again) some form of session token every time. This has the advantage that all front end nodes of your app can share the DB and they are all up to date on a users rights.
3) Some form of encrypted token that includes whatever user info you need to create the User object. The most common standard for this is the JSON Web Token, but others can work too. This has the advantage of being very scalable and not requiring DB trips on every request, but adds the challenge of token invalidation (eg on logout or when a users rights change).
So all three are fine depending on what you need. Some apps also use a hybrid (eg #2 with #1 as a cache to improve performance), but that will also add complexity and bring along new things to consider (like invalidation of cache items).
Finally, some apps take a heterogeneous approach to the database, using a document store like Mongo for their main business objects and a fast, key-value store like Redis or memcached for stuff that happens every request (like user auth).
