hexpreview

README.md

# SessionServerStore

SessionServerStore is a server-side session store. It can be used with
[`Plug.Session`](//hexdocs.pm/plug/Plug.Session.html) and
[`SessionHeaderPlug`](//hexdocs.pm/session_header_plug).

While client-side session storage (e.g., `Plug.Session.COOKIE`, stateless JWT)
is perfectly adequate for trivial or anonymous information, it is inadequate for
sensitive or identifying information. Client-side sessions can’t be invalidated,
which is to say that they cannot actually be destroyed or updated (though they
can expire). The client can discontinue the use of a session and possibly use a
new one in its place, but a rogue client, browser, script, user, or even restore
from a backup can resurrect the invalid session. This renders client storage
completely ill-suited to authenticated user sessions.

Client-side sessions are also subject to bloat. As more data is stored in the
session, the client will have to accomadate the extra size. Since the session
must be included with every server request, the transport size increases.

With SessionServerStore the umambiguos truth lives on your server. Sessions can
be fully updated, destroyed, and expired. Sensitive data is stored securely on
the server, where it can only be accessed by the client using the session ID.

The session ID generated by SessionServerStore is 128 bytes. Regardless of how
much data is stored in the session, the client will only need to store and
transmit this small session ID.

## Installation

Add `session_server_store` to your list of dependencies in mix.exs:

```elixir
defp deps do
  [
    {:session_server_store, "~> 0.1.0"},
  ]
end
```

## Usage

### Plug.Session

```elixir
plug Plug.Session,
  store: SessionServerStore,
  key: "sid",
  max_age: 86400,
  timeout: 86400,
  idle_timeout: :infinity
```

### SessionHeaderPlug

```elixir
plug SessionHeaderPlug,
  store: SessionServerStore,
  key: "session-id",
  timeout: 86400,
  idle_timeout: :infinity
```

## Caveats

Since the store is in-memory, it means sessions are not shared between servers.
If you deploy to more than one machine, you will want to use a distributed
server-side session store.