@idagio/session-middleware
Advanced tools
Middleware for creating and managing sessions. Builds on top of @idagio/cookie-middleware.
A very opinionated middleware for creating and managing session cookies.
This module builds off the shoulders of @idagio/cookie-middleware to provide a very simply interface to working with sessions. This module doesn't concern itself with storage or validation of sessions, that is left to the user.
All that this module gives you is a way to ensure that there is always a request.session.token value, and a method for resetting that value to be something different.
var express = require('express');
var Cookies = require('@idagio/cookie-middleware');
var Session = require('@idagio/session-middleware');
var app = express()
app.use(Cookies.middleware);
app.use(Session.middleware);
app.get('/', function(request, response) {
response.writeHead(200);
response.end('Your session token is: ' + request.session.token);
});
app.get('/reset', function(request, response) {
request.session.reset();
response.redirect('/');
});
app.listen(3000);
You can also use the constructor bare, just like @idagio/cookie-middleware:
var session = new Session(request.cookies, 'my_session_name');
By default, Session.middleware uses the session name of _session, you can override this by writing your own version of the middleware that initializes the Session constructor directly (it's four lines of code), e.g.,
function SessionMiddleware(request, response, next) {
request.my_awesome_session = new Session(request.cookies, 'my_awesome_session');
next();
};
// app.use(SessionMiddleware);
You will often use the request.session.token value to store some information in a database or in memory, such that you can use the session token to retrieve that information at a later point in time. In order to prevent Session Fixation, you should ALWAYS do a request.session.reset() before changing the value of the session.
For example, on login:
request.session.reset() to get a new session tokenrequest.session.token in your database (e.g., redis)You should probably also expire sessions in your storage after a given number of days of inactivity.
new Session(cookies, [ name ])Creates a new instance of the Session handler; cookies is expected to be something that conforms to the API which @idagio/cookie-middleware exposes. Optionally, you can specify a name for the cookie that the session will be stored in, this defaults to '_session'.
Session.prototype.reset()Generates a new token value, and sets that as the session cookies' value.
This module uses cryptiles for creating random values. At present, the session token is generated using cryptiles.randomString(256).
If you would like to comment privately on the security aspects of this module, please email Em Smith – ms@idagio.com.
FAQs
Middleware for creating and managing sessions. Builds on top of @idagio/cookie-middleware.
We found that @idagio/session-middleware demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Maintainers back GitHub’s npm security overhaul but raise concerns about CI/CD workflows, enterprise support, and token management.
Product
Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain attacks.
Research
Socket uncovers malicious Rust crates impersonating fast_log to steal Solana and Ethereum wallet keys from source code.