Module: Tynn::Session

Defined in:
lib/tynn/session.rb

Overview

Public: Adds simple cookie based session management. You can pass a secret token to sign the cookie data, thus unauthorized means can’t alter it.

Examples

require "tynn"
require "tynn/session"

Tynn.plugin(Tynn::Session, secret: "__change_me__")

Tynn.define do
  root do
    res.write(sprintf("hei %s", session[:username]))
  end

  on(:username) do |username|
    session[:username] = username
  end
end

The following command generates a cryptographically secure secret ready to use:

$ ruby -r securerandom -e "puts SecureRandom.hex(64)"

It’s important to keep the token secret. Knowing the token allows an attacker to tamper the data. So, it’s recommended to load the token from the environment.

Examples

Tynn.plugin(Tynn::Session, secret: ENV["SESSION_SECRET"])

Under the hood, Tynn::Session uses the Rack::Session::Cookie middleware. Thus, supports all the options available for this middleware:

key - The name of the cookie. Defaults to "rack.session".

httponly - If true, sets the HttpOnly flag. This mitigates the

risk of client side scripting accessing the cookie. Defaults
to +true+.

secure - If true, sets the Secure flag. This tells the browser

to only transmit the cookie over HTTPS. Defaults to `false`.

expire_after - The lifespan of the cookie. If nil, the session cookie

is temporary and is no retained after the browser is
closed. Defaults to +nil+.

Examples

Tynn.plugin(
  Tynn::Session,
  key: "app",
  secret: ENV["SESSION_SECRET"],
  expire_after: 36_000, # seconds
  httponly: true,
  secure: true
)

Defined Under Namespace

Modules: InstanceMethods

Class Method Summary collapse

Class Method Details

.setup(app, options = {}) ⇒ Object

Internal: Configures Rack::Session::Cookie middleware.



64
65
66
67
68
69
70
 
# File 'lib/tynn/session.rb', line 64

def self.setup(app, options = {})
  if app.settings[:ssl]
    options = { secure: true }.merge(options)
  end

  app.use(Rack::Session::Cookie, options)
end