koa-session

What is koa-session?

koa-session is a session middleware for Koa, a popular web framework for Node.js. It provides a way to manage user sessions, including storing session data, setting session cookies, and handling session expiration.

What are koa-session's main functionalities?

Basic Session Setup

This code sets up a basic Koa application with session management. It configures the session middleware with various options like cookie key, max age, and httpOnly flag. The middleware is then used to track the number of views for each session.

const Koa = require('koa');
const session = require('koa-session');
const app = new Koa();

app.keys = ['some secret hurr'];
const CONFIG = {
  key: 'koa:sess', // cookie key (default is koa:sess)
  maxAge: 86400000, // cookie's max age in ms (1 day)
  autoCommit: true, // automatically commit headers (default true)
  overwrite: true, // can overwrite or not (default true)
  httpOnly: true, // httpOnly or not (default true)
  signed: true, // signed or not (default true)
  rolling: false, // Force a session identifier cookie to be set on every response. The expiration is reset to the original maxAge, resetting the expiration countdown.
  renew: false, // renew session when session is nearly expired, so we can always keep user logged in.
};

app.use(session(CONFIG, app));

app.use(ctx => {
  if (ctx.path === '/favicon.ico') return;
  let n = ctx.session.views || 0;
  ctx.session.views = ++n;
  ctx.body = n + ' views';
});

app.listen(3000);

Custom Session Store

This code demonstrates how to use a custom session store with koa-session. The custom store is implemented using a simple in-memory Map. The store object provides methods for getting, setting, and destroying session data.

const Koa = require('koa');
const session = require('koa-session');
const app = new Koa();

app.keys = ['some secret hurr'];

const store = {
  storage: new Map(),
  get(key) {
    return this.storage.get(key);
  },
  set(key, sess) {
    this.storage.set(key, sess);
  },
  destroy(key) {
    this.storage.delete(key);
  }
};

const CONFIG = {
  store,
};

app.use(session(CONFIG, app));

app.use(ctx => {
  if (ctx.path === '/favicon.ico') return;
  let n = ctx.session.views || 0;
  ctx.session.views = ++n;
  ctx.body = n + ' views';
});

app.listen(3000);

Session Regeneration

This code shows how to regenerate a session in koa-session. When the user accesses the '/regenerate' path, the session is regenerated, which can be useful for security purposes, such as after a user logs in.

const Koa = require('koa');
const session = require('koa-session');
const app = new Koa();

app.keys = ['some secret hurr'];
const CONFIG = {};

app.use(session(CONFIG, app));

app.use(async ctx => {
  if (ctx.path === '/favicon.ico') return;
  if (ctx.path === '/regenerate') {
    await ctx.regenerateSession();
    ctx.body = 'Session regenerated';
  } else {
    let n = ctx.session.views || 0;
    ctx.session.views = ++n;
    ctx.body = n + ' views';
  }
});

app.listen(3000);

Other packages similar to koa-session

express-session

express-session is a session middleware for Express, another popular web framework for Node.js. It provides similar functionalities to koa-session, such as session storage, cookie management, and session expiration. However, it is designed to work with Express rather than Koa.

cookie-session

cookie-session is a lightweight session middleware that stores session data in cookies rather than on the server. This can be useful for small session data and simplifies the setup by not requiring a session store. It works with both Koa and Express.

koa-generic-session

koa-generic-session is another session middleware for Koa. It provides more flexibility and customization options compared to koa-session, such as support for different session stores and more advanced session management features.

README

koa-session

Simple session middleware for Koa. Defaults to cookie-based sessions and supports external stores.

Requires Node 8.0.0 or greater for async/await support

Installation

$ npm install koa-session

Notice

6.x changed the default cookie key from koa:sess to koa.sess to ensure set-cookie value valid with HTTP spec.see issue. If you want to be compatible with the previous version, you can manually set config.key to koa:sess.

Example

View counter example:

const session = require('koa-session');
const Koa = require('koa');
const app = new Koa();

app.keys = ['some secret hurr'];

const CONFIG = {
  key: 'koa.sess', /** (string) cookie key (default is koa.sess) */
  /** (number || 'session') maxAge in ms (default is 1 days) */
  /** 'session' will result in a cookie that expires when session/browser is closed */
  /** Warning: If a session cookie is stolen, this cookie will never expire */
  maxAge: 86400000,
  autoCommit: true, /** (boolean) automatically commit headers (default true) */
  overwrite: true, /** (boolean) can overwrite or not (default true) */
  httpOnly: true, /** (boolean) httpOnly or not (default true) */
  signed: true, /** (boolean) signed or not (default true) */
  rolling: false, /** (boolean) Force a session identifier cookie to be set on every response. The expiration is reset to the original maxAge, resetting the expiration countdown. (default is false) */
  renew: false, /** (boolean) renew session when session is nearly expired, so we can always keep user logged in. (default is false)*/
  secure: true, /** (boolean) secure cookie*/
  sameSite: null, /** (string) session cookie sameSite options (default null, don't set it) */
};

app.use(session(CONFIG, app));
// or if you prefer all default config, just use => app.use(session(app));

app.use(ctx => {
  // ignore favicon
  if (ctx.path === '/favicon.ico') return;

  let n = ctx.session.views || 0;
  ctx.session.views = ++n;
  ctx.body = n + ' views';
});

app.listen(3000);
console.log('listening on port 3000');

API

Options

The cookie name is controlled by the key option, which defaults to "koa.sess". All other options are passed to ctx.cookies.get() and ctx.cookies.set() allowing you to control security, domain, path, and signing among other settings.

Custom encode/decode Support

Use options.encode and options.decode to customize your own encode/decode methods.

Hooks

• valid(): valid session value before use it
• beforeSave(): hook before save session

External Session Stores

The session is stored in a cookie by default, but it has some disadvantages:

• Session is stored on client side unencrypted
• Browser cookies always have length limits

You can store the session content in external stores (Redis, MongoDB or other DBs) by passing options.store with three methods (these need to be async functions):

• get(key, maxAge, { rolling, ctx }): get session object by key
• set(key, sess, maxAge, { rolling, changed, ctx }): set session object for key, with a maxAge (in ms)
• destroy(key, {ctx}): destroy session for key

Once you pass options.store, session storage is dependent on your external store -- you can't access the session if your external store is down. Use external session stores only if necessary, avoid using session as a cache, keep the session lean, and store it in a cookie if possible!

The way of generating external session id is controlled by the options.genid(ctx), which defaults to uuid.v4().

If you want to add prefix for all external session id, you can use options.prefix, it will not work if options.genid(ctx) present.

If your session store requires data or utilities from context, opts.ContextStore is also supported. ContextStore must be a class which claims three instance methods demonstrated above. new ContextStore(ctx) will be executed on every request.

Events

koa-session will emit event on app when session expired or invalid:

• session:missed: can't get session value from external store.
• session:invalid: session value is invalid.
• session:expired: session value is expired.

Custom External Key

External key is used the cookie by default, but you can use options.externalKey to customize your own external key methods. options.externalKey with two methods:

• get(ctx): get the external key
• set(ctx, value): set the external key

Session#isNew

Returns true if the session is new.

if (this.session.isNew) {
  // user has not logged in
} else {
  // user has already logged in
}

Session#maxAge

Get cookie's maxAge.

Session#maxAge=

Set cookie's maxAge.

Session#externalKey

Get session external key, only exist when external session store present.

Session#save()

Save this session no matter whether it is populated.

Session#manuallyCommit()

Session headers are auto committed by default. Use this if autoCommit is set to false.

Destroying a session

To destroy a session simply set it to null:

this.session = null;

License

MIT

Changelog

7.0.0 (2025-01-19)

⚠ BREAKING CHANGES

• drop Node.js < 18.19.0 support

Features

• support cjs and esm both by tshy (#228) (575864c)

6.4.0 / 2023-02-04

features

• [4cd3bef] - feat: Add Session.regenerate() method (#221) (Jürg Lehni <juerg@scratchdisk.com>)

6.3.1 / 2023-01-03

fixes

• [e2de39e] - fix: keep crc v3 (#223) (fengmk2 <fengmk2@gmail.com>)

6.3.0 / 2023-01-03

features

• [878669e] - feat: update uuid to v8 (#218) (zhennann <zhen.nann@icloud.com>)

others

• [df2d28f] - test: run ci on GitHub Action (#222) (fengmk2 <fengmk2@gmail.com>)

6.2.0 / 2021-03-30

features

• [7cde341] - feat: add session.externalKey (#207) (Yiyu He <dead_horse@qq.com>)

6.1.0 / 2020-10-08

features

• [32e3526] - feat: add context to external store .get() and .set() options params (#201) (Ngorror <ngorror@gmail.com>)

others

• [f765595] - chore: Create LICENSE File (#195) (Dominic Egginton <dominic.egginton@gmail.com>) 6.0.0 / 2020-04-26 ==================

fixes

• [d34fc8e] - fix: RFC6265 compliant default cookie name (#197) (zacanger <zac@zacanger.com>)
  • [BREAKING CHANGE]: Default cookie is now koa.sess rather than koa:sess

5.13.1 / 2020-02-01

fixes

• [ecd1f5e] - fix: don't set any value to sameSite by default (#194) (fengmk2 <fengmk2@gmail.com>)

5.13.0 / 2020-02-01

features

• [cb09a09] - feat: support session cookie sameSite options (#193) (fengmk2 <fengmk2@gmail.com>)

5.12.3 / 2019-08-23

fixes

• [909d93f] - fix: correctly expire cookies for nullified sessions (Justin <jmitchell38488@users.noreply.github.com>)

5.12.2 / 2019-07-10

fixes

• [c23bab4] - fix: remvoe unused code (dead-horse <dead_horse@qq.com>)

5.12.1 / 2019-07-10

fixes

• [77968e3] - fix: ensure ctx.session always has value (dead-horse <dead_horse@qq.com>)

5.12.0 / 2019-05-17

features

• [39ca830] - feat: add the parameter "ctx" to the function "genid" so can get the … (#173) (松松 <1733458402@qq.com>)

others

• [3d57a44] - docs: add genid(ctx) in readme (dead-horse <dead_horse@qq.com>)

5.11.0 / 2019-04-29

features

• [b79134d] - feat: make sure session id is global unique (#170) (fengmk2 <fengmk2@gmail.com>)

fixes

• [c2b4259] - fix: remove package-lock.json (fengmk2 <fengmk2@gmail.com>)

others

• [23ad871] - deps: Fix security vulnerabilities from npm audit (#163) (Douglas Wade <douglas.b.wade@gmail.com>)
• [1600aab] - test: changed "ctx.session is mockable" tests names to more appropriate (#158) (Vitaliy Zaytsev <teh.kroleg@gmail.com>)

5.10.1 / 2018-12-18

features

• [5f12f70] - feat: allow init multi session middleware (#159) (killa <killa123@126.com>)

fixes

• [89c048a] - fix: moved "pedding" package to dev dependencies (#155) (Vitaliy Zaytsev <teh.kroleg@gmail.com>)

5.10.0 / 2018-10-29

features

• [81906f7] - feat: support options.externalKey #88 (#149) (Tree Xie <vicansocanbico@gmail.com>)

5.9.0 / 2018-08-28

features

• [7241400] - feat: Add autoCommit option (#139) (Jonas Galvez <jonasgalvez@gmail.com>)

5.8.3 / 2018-08-22

fixes

• [6f1a41c] - fix: session not works (#136) (吖猩 <whxaxes@qq.com>)

others

• [95272ff] - fix typo in README.md (#134) (Maples7 <maples7@163.com>)

5.8.2 / 2018-07-12

fixes

• [c487944] - fix: Fixes a bug that reset the cookie expire date to the default (1 day) when using browser sessions (maxAge: 'session') (#117) (Adriano <adrianocola@gmail.com>)

others

• [9050605] - deps: Upgrade debug@^3.1.0 (#107) (Daniel Tseng <s92f002@hotmail.com>)
• [c48e1e0] - Update Readme.md (#123) (Wellington Soares <well.cco@gmail.com>)

5.8.1 / 2018-01-17

fixes

• [bdb4fd4] - fix: ensure store expired after cookie (dead-horse <dead_horse@qq.com>)

5.8.0 / 2018-01-17

features

• [bb5f4bf] - feat: support opts.renew (#111) (Yiyu He <dead_horse@qq.com>)

5.7.1 / 2018-01-11

fixes

• [72fa5fe] - fix: emit event in next tick (dead-horse <dead_horse@qq.com>)

5.7.0 / 2018-01-09

features

• [a2401c8] - feat: emit event expose ctx (dead-horse <dead_horse@qq.com>)

5.6.0 / 2018-01-09

features

• [f00c1ef] - feat: emit events when session invalid (#108) (Yiyu He <dead_horse@qq.com>)

5.5.1 / 2017-11-17

others

• [b976b10] - perf: no need to assign opts (#103) (Yiyu He <dead_horse@qq.com>)
• [c040b59] - chore: fix example bug and use syntactic sugar (#97) (Runrioter Wung <runrioter@gmail.com>)
• [906277a] - docs: copyediting (#85) (Nate Silva <natesilva@users.noreply.github.com>)

5.5.0 / 2017-08-04

features

• [ec88cfb] - feat: support options.prefix for external store (#93) (Yiyu He <dead_horse@qq.com>)

5.4.0 / 2017-07-03

• feat: opts.genid (#87)

5.3.0 / 2017-06-17

• feat: support rolling (#84)

5.2.0 / 2017-06-15

• feat: support options.ContextStore (#81)

5.1.0 / 2017-06-01

• Create capability to create cookies that expire when browser is close… (#77)

5.0.0 / 2017-03-12

• feat: async/await support (#70)

4.0.1 / 2017-03-01

• fix: ctx.session should be configurable (#67)

4.0.0 / 2017-02-27

• [BREAKING CHANGE]: Drop support for node < 4.
• [BREAKING CHANGE]: Internal implementations are changed, so some private API is changed.
  • Change private api session.save(), won't set cookie immediately now.
  • Remove private api session.changed().
  • Remove undocumented property context.sessionKey, can use opts.key instead.
  • Change undocumented property context.sessionOptions to getter.
• feat: Support external store by pass options.store.
• feat: Throw when encode session error, consider a breaking change.
• feat: Clean cookie when decode session throw error, ensure next request won't throw again.
• fix: Customize options.decode will check expired now
• docs: Remove Semantics in README because it's not "guest" sessions any more

3.4.0 / 2016-10-15

• fix: add 'session' name for middleware function (#58)
• chore(package): update dependencies
• readme: ignore favicon in example

3.3.1 / 2015-07-08

• code: fix error in variable referencing

3.3.0 / 2015-07-07

• custom encode/decode support

3.2.0 / 2015-06-08

• feat: add opts.valid() and opts.beforeSave() hooks

3.1.1 / 2015-06-04

• deps: upgrade deep-equal to 1.0.0
• fix: allow get session property before enter session middleware

3.1.0 / 2014-12-25

• add session.maxAge
• set expire in cookie value

3.0.0 / 2014-12-11

• improve performance by reduce hiddin class on every request
• refactor with commit() helper
• refactor error handling with finally statement

2.0.0 / 2014-02-17

• changed cookies to be base64-encoded (somewhat breaks backwards compatibility)

1.2.1 / 2014-02-04

• fix saving sessions when a downstream error is thrown

1.2.0 / 2013-12-21

• remove sid from docs
• remove uid2 dep
• change: only save new sessions if populated
• update to use new middleware signature

1.1.0 / 2013-11-15

• add change check, removing the need for .save()
• add sane defaults. Closes #4
• add session clearing support. Closes #9
• remove public .save()