SessionServerStore
SessionServerStore is a server-side session store. It can be used with
Plug.Session and
SessionHeaderPlug.
While client-side session storage (e.g., Plug.Session.COOKIE, stateless JWT)
is perfectly adequate for trivial or anonymous information, it is inadequate for
sensitive or identifying information. Client-side sessions can’t be invalidated,
which is to say that they cannot actually be destroyed or updated (though they
can expire). The client can discontinue the use of a session and possibly use a
new one in its place, but a rogue client, browser, script, user, or even restore
from a backup can resurrect the invalid session. This renders client storage
completely ill-suited to authenticated user sessions.
Client-side sessions are also subject to bloat. As more data is stored in the session, the client will have to accomadate the extra size. Since the session must be included with every server request, the transport size increases.
With SessionServerStore the umambiguos truth lives on your server. Sessions can be fully updated, destroyed, and expired. Sensitive data is stored securely on the server, where it can only be accessed by the client using the session ID.
The session ID generated by SessionServerStore is 128 bytes. Regardless of how much data is stored in the session, the client will only need to store and transmit this small session ID.
Installation
Add session_server_store to your list of dependencies in mix.exs:
defp deps do
[
{:session_server_store, "~> 0.1.0"},
]
endUsage
Plug.Session
plug Plug.Session,
store: SessionServerStore,
key: "sid",
max_age: 86400,
timeout: 86400,
idle_timeout: :infinitySessionHeaderPlug
plug SessionHeaderPlug,
store: SessionServerStore,
key: "session-id",
timeout: 86400,
idle_timeout: :infinityCaveats
Since the store is in-memory, it means sessions are not shared between servers. If you deploy to more than one machine, you will want to use a distributed server-side session store.