hapi-server-session v5.1.2
hapi-server-session
Simple server-side session support for hapi
Install
$ npm install hapi-server-session
For typescript users:
$ npm install @types/hapi-server-session
Example
'use strict';
const hapi = require('@hapi/hapi');
const main = async () => {
const server = new hapi.Server({
host: 'localhost',
address: '127.0.0.1',
port: 8000,
});
await server.register({
plugin: require('hapi-server-session'),
options: {
cookie: {
isSecure: false, // never set to false in production
},
},
});
server.route({
method: 'GET',
path: '/',
handler: (request, _h) => {
request.session.views = request.session.views + 1 || 1;
return 'Views: ' + request.session.views;
},
});
await server.start();
};
main().catch(console.error);
Options
algorithm
: Default:'sha256'
algorithm to use during signingcache
: supports the same options asserver.cache(options)
expiresIn
: Default: sessionexpiresIn
if set or2147483647
session cache expiration in millisecondssegment
: Default:'session'
session cache segment
cookie
: supports the same options asserver.state(name, [options])
isSameSite
: Default:'Lax'
sets theSameSite
flagpath
: Default:'/'
sets thePath
flagttl
: Default: sessionexpiresIn
if set sets theExpires
andMax-Age
flags
expiresIn
: session expiration in millisecondsname
: Default:'id'
name of the cookiekey
: signing key. Prevents weaknesses in randomness from affecting overall securitysize
: Default:16
number of random bytes in the session idvhost
: Default:*
host or list of hosts that plugin should be enabled for
Questions
Can you explain what the expiresIn
and ttl
options do?
When the session expiresIn
is not set, the cookie ttl
is not set and the cache expiresIn
is 2147483647
. This creates a true session cookie, i.e. one that is deleted when the browser is closed, but will last forever otherwise. This is the default with no configuration.
When the session expiresIn
is set, it defaults both the cookie ttl
and the cache expiresIn
to the same value. This creates a session that will last expiresIn
milliseconds. Even if the cookie ttl
is ignored by the browser, the server-side cache will expire.
More complex configurations are possible. For example, when the session expiresIn
is set and the cookie ttl
is explicitly set to null
, a session will last until the browser is closed, but no longer than expiresIn
milliseconds.
How do I destroy the session (e.g. to logout a user)?
delete request.session;
will unset the cookie and delete the session from the cache.
Changes
v5.1.0
- support vhost option
v5.0.0
- support hapi v19
v4.3.0
- add way to destroy the session
v4.2.0
- default cookie
path
to'/'
v4.1.0
- default cookie
ttl
to sessionexpiresIn
- remove
key
requirement on sessionexpiresIn
v4.0.0
- support hapi v17
v3.0.0
- default
SameSite
flag toLax
. Could break sites that require session during certain kinds of cross site requests. See https://www.owasp.org/index.php/SameSite
Author
4 years ago
5 years ago
5 years ago
5 years ago
6 years ago
6 years ago
6 years ago
6 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
7 years ago
8 years ago
8 years ago
8 years ago
8 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago