# Ecto Sessions
**Database backend sessions with Ecto.**
[![ecto_sessions in hex.pm](https://img.shields.io/hexpm/v/ecto_sessions?style=flat)](https://hex.pm/packages/ecto_sessions)
[![ecto_sessions documentation](https://img.shields.io/badge/hex.pm-docs-green.svg?style=flat)](https://hexdocs.pm/ecto_sessions/)
`ecto_sessions` helps you easily and securely manage database backed sessions
in your Ecto project.
It might be used, for example to manage authorization via cookies or API keys.
The medium you will use the sessions is up to the application implementation.
Ex: session id to be used in a Cookie or X-Api-Token for a REST API.
Using database backed session, might be very helpful in some scenarios.
It has quite a few benefits and drawbacks comparing to signed sessions,
for example `JWT` or signed cookies. It might also be used in combination
with the later.
Advantages:
- Ability to query active sessions for a given user.
Ex: list the devices where a user has a valid session;
- Full control of the validity: at any time your application will be able to
control if a given session is valid, change their expiration and even
revalidate expired tokens at any time.
- Ability to store arbitrary data, without increasing the token size.
Disadvantages:
- Depending on the design, you might be adding a database query on each
request - just like traditional sessions;
Note that you can use a separate database, and furthermore this code
might also be adapted for different backends, like key-value stores.
- Clients and other services will not be able to inspect the contents
of the token. This might be useful for example to predict if a token
is expired before making a request.
This might also be considered an advantage in scenarios you don't want
to give any control to the client.
One design that allows you to have the benefits of stateless and
stateful sessions combined, is to have *short-lived signed tokens*,
and then database backend sessions for long-lived *refresh tokens*.
## Installation
The package can be installed by adding `ecto_sessions`
to your list of dependencies in `mix.exs`:
```elixir
def deps do
[
{:ecto_sessions, "~> 0.1.0"}
]
end
```
Then, in your ecto app create the following module:
```elixir
defmodule MyApp.Sessions do
use EctoSessions,
repo: MyApp.Repo
```
Refer to [EctoSessions module documentation](https://hexdocs.pm/ecto_sessions/EctoSessions.html) for more details.