Session
Edit on GitHubThis module adds cookie-based sessions to your application.
Install
npm install @primate/session
Configure
Import and initialize the module in your configuration.
import session from "@primate/session";
export default {
modules: [
session(),
],
};
Use
This module creates and sends a session cookie with the response using the
Set-Cookie
header. If the client issues a request with a cookie that
identifies an existing session id, no new cookie is created or sent.
The session's data (which consists only of id
unless you change the
default manager) is made available to the route function as request.session
.
export default {
get(request) {
// send a 200 OK, plain text with the cookie's id as body
return request.session.id;
},
};
By that example, a client requesting GET /
will see its own session id.
Configuration options
name
Default "sessionId"
The session cookie's name.
sameSite
Default "Strict"
The cookie's SameSite
attribute.
path
Default "/"
The cookie's Path
attribute.
manager
Default in-memory session manager
The session manager. When called, it returns a function that is given an id
identifying a session and returns a session object to be set on request
. The
return object must contain a id
property. If the given id and the returned
session.id
differ, a Set-Cookie
header is added to the response.
Unless set, a default in-memory manager will be used, such that sessions do not survive an app restart.
implicit
Default false
Whether sessions should be automatically created, without explicitly calling
request.session.create()
.
Security
Protocol downgrade attacks cookies are sent with the Secure
attribute if
Primate is running on https
Cross-site scripting attacks cookies are always sent with the HttpOnly
attribute