koa-session
Advanced tools
koa-session is a session middleware for Koa, a popular web framework for Node.js. It provides a way to manage user sessions, including storing session data, setting session cookies, and handling session expiration.
Basic Session Setup
This code sets up a basic Koa application with session management. It configures the session middleware with various options like cookie key, max age, and httpOnly flag. The middleware is then used to track the number of views for each session.
const Koa = require('koa');
const session = require('koa-session');
const app = new Koa();
app.keys = ['some secret hurr'];
const CONFIG = {
key: 'koa:sess', // cookie key (default is koa:sess)
maxAge: 86400000, // cookie's max age in ms (1 day)
autoCommit: true, // automatically commit headers (default true)
overwrite: true, // can overwrite or not (default true)
httpOnly: true, // httpOnly or not (default true)
signed: true, // signed or not (default true)
rolling: false, // Force a session identifier cookie to be set on every response. The expiration is reset to the original maxAge, resetting the expiration countdown.
renew: false, // renew session when session is nearly expired, so we can always keep user logged in.
};
app.use(session(CONFIG, app));
app.use(ctx => {
if (ctx.path === '/favicon.ico') return;
let n = ctx.session.views || 0;
ctx.session.views = ++n;
ctx.body = n + ' views';
});
app.listen(3000);Custom Session Store
This code demonstrates how to use a custom session store with koa-session. The custom store is implemented using a simple in-memory Map. The store object provides methods for getting, setting, and destroying session data.
const Koa = require('koa');
const session = require('koa-session');
const app = new Koa();
app.keys = ['some secret hurr'];
const store = {
storage: new Map(),
get(key) {
return this.storage.get(key);
},
set(key, sess) {
this.storage.set(key, sess);
},
destroy(key) {
this.storage.delete(key);
}
};
const CONFIG = {
store,
};
app.use(session(CONFIG, app));
app.use(ctx => {
if (ctx.path === '/favicon.ico') return;
let n = ctx.session.views || 0;
ctx.session.views = ++n;
ctx.body = n + ' views';
});
app.listen(3000);Session Regeneration
This code shows how to regenerate a session in koa-session. When the user accesses the '/regenerate' path, the session is regenerated, which can be useful for security purposes, such as after a user logs in.
const Koa = require('koa');
const session = require('koa-session');
const app = new Koa();
app.keys = ['some secret hurr'];
const CONFIG = {};
app.use(session(CONFIG, app));
app.use(async ctx => {
if (ctx.path === '/favicon.ico') return;
if (ctx.path === '/regenerate') {
await ctx.regenerateSession();
ctx.body = 'Session regenerated';
} else {
let n = ctx.session.views || 0;
ctx.session.views = ++n;
ctx.body = n + ' views';
}
});
app.listen(3000);express-session is a session middleware for Express, another popular web framework for Node.js. It provides similar functionalities to koa-session, such as session storage, cookie management, and session expiration. However, it is designed to work with Express rather than Koa.
cookie-session is a lightweight session middleware that stores session data in cookies rather than on the server. This can be useful for small session data and simplifies the setup by not requiring a session store. It works with both Koa and Express.
koa-generic-session is another session middleware for Koa. It provides more flexibility and customization options compared to koa-session, such as support for different session stores and more advanced session management features.
Simple session middleware for Koa. Defaults to cookie-based sessions and supports external stores.
Requires Node 7.6 or greater for async/await support
$ npm install koa-session
View counter example:
const session = require('koa-session');
const Koa = require('koa');
const app = new Koa();
app.keys = ['some secret hurr'];
const CONFIG = {
key: 'koa:sess', /** (string) cookie key (default is koa:sess) */
/** (number || 'session') maxAge in ms (default is 1 days) */
/** 'session' will result in a cookie that expires when session/browser is closed */
/** Warning: If a session cookie is stolen, this cookie will never expire */
maxAge: 86400000,
autoCommit: true, /** (boolean) automatically commit headers (default true) */
overwrite: true, /** (boolean) can overwrite or not (default true) */
httpOnly: true, /** (boolean) httpOnly or not (default true) */
signed: true, /** (boolean) signed or not (default true) */
rolling: false, /** (boolean) Force a session identifier cookie to be set on every response. The expiration is reset to the original maxAge, resetting the expiration countdown. (default is false) */
renew: false, /** (boolean) renew session when session is nearly expired, so we can always keep user logged in. (default is false)*/
sameSite: null, /** (string) session cookie sameSite options (default null, don't set it) */
};
app.use(session(CONFIG, app));
// or if you prefer all default config, just use => app.use(session(app));
app.use(ctx => {
// ignore favicon
if (ctx.path === '/favicon.ico') return;
let n = ctx.session.views || 0;
ctx.session.views = ++n;
ctx.body = n + ' views';
});
app.listen(3000);
console.log('listening on port 3000');
The cookie name is controlled by the key option, which defaults
to "koa:sess". All other options are passed to ctx.cookies.get() and
ctx.cookies.set() allowing you to control security, domain, path,
and signing among other settings.
encode/decode SupportUse options.encode and options.decode to customize your own encode/decode methods.
valid(): valid session value before use itbeforeSave(): hook before save sessionThe session is stored in a cookie by default, but it has some disadvantages:
You can store the session content in external stores (Redis, MongoDB or other DBs) by passing options.store with three methods (these need to be async functions):
get(key, maxAge, { rolling }): get session object by keyset(key, sess, maxAge, { rolling, changed }): set session object for key, with a maxAge (in ms)destroy(key): destroy session for keyOnce you pass options.store, session storage is dependent on your external store -- you can't access the session if your external store is down. Use external session stores only if necessary, avoid using session as a cache, keep the session lean, and store it in a cookie if possible!
The way of generating external session id is controlled by the options.genid(ctx), which defaults to uuid.v4().
If you want to add prefix for all external session id, you can use options.prefix, it will not work if options.genid(ctx) present.
If your session store requires data or utilities from context, opts.ContextStore is also supported. ContextStore must be a class which claims three instance methods demonstrated above. new ContextStore(ctx) will be executed on every request.
koa-session will emit event on app when session expired or invalid:
session:missed: can't get session value from external store.session:invalid: session value is invalid.session:expired: session value is expired.External key is used the cookie by default, but you can use options.externalKey to customize your own external key methods. options.externalKey with two methods:
get(ctx): get the external keyset(ctx, value): set the external keyReturns true if the session is new.
if (this.session.isNew) {
// user has not logged in
} else {
// user has already logged in
}
Get cookie's maxAge.
Set cookie's maxAge.
Save this session no matter whether it is populated.
Session headers are auto committed by default. Use this if autoCommit is set to false.
To destroy a session simply set it to null:
this.session = null;
MIT
FAQs
Koa cookie session middleware with external store support
The npm package koa-session receives a total of 163,678 weekly downloads. As such, koa-session popularity was classified as popular.
We found that koa-session demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.