Skip to content

vvo/iron-session

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

632 Commits

.github

.github

Β 
Β 

.vscode

.vscode

Β 
Β 

examples/next

examples/next

Β 
Β 

sponsor

sponsor

Β 
Β 

src

src

Β 
Β 

.editorconfig

.editorconfig

Β 
Β 

.eslintrc.yaml

.eslintrc.yaml

Β 
Β 

.gitattributes

.gitattributes

Β 
Β 

.gitignore

.gitignore

Β 
Β 

.node-version

.node-version

Β 
Β 

.npmignore

.npmignore

Β 
Β 

.npmrc

.npmrc

Β 
Β 

.prettierignore

.prettierignore

Β 
Β 

.release-it.yaml

.release-it.yaml

Β 
Β 

CHANGELOG.md

CHANGELOG.md

Β 
Β 

CONTRIBUTING.md

CONTRIBUTING.md

Β 
Β 

LICENSE.md

LICENSE.md

Β 
Β 

README.md

README.md

Β 
Β 

package.json

package.json

Β 
Β 

pnpm-lock.yaml

pnpm-lock.yaml

Β 
Β 

pnpm-workspace.yaml

pnpm-workspace.yaml

Β 
Β 

renovate.json

renovate.json

Β 
Β 

tsconfig.json

tsconfig.json

Β 
Β 

tsup.config.ts

tsup.config.ts

Β 
Β 

turbo.json

turbo.json

Β 
Β 

Repository files navigation

iron-session GitHub Workflow Status (with event) GitHub license npm npm npm package minimized gzipped size (select exports)

iron-session is a secure, stateless, and cookie-based session library for JavaScript.

our sponsor:

API-first authentication, authorization, and fraud prevention

Website β€’ Documentation

The session data is stored in signed and encrypted cookies which are decoded by your server code in a stateless fashion (= no network involved). This is the same technique used by frameworks like Ruby On Rails.

Online demo and examples: https://get-iron-session.vercel.app πŸ‘€
Featured in the Next.js documentation ⭐️

Table of Contents

Installation

pnpm add iron-session

Usage

To get a session, there's a single method to know: getIronSession.

// Next.js API Routes and Node.js/Express/Connect.
import { getIronSession } from 'iron-session';

export function get(req, res) {
  const session = getIronSession(req, res, { password: "...", cookieName: "..." });
}

export function post(req, res) {
  const session = getIronSession(req, res, { password: "...", cookieName: "..." });
  session.username = "Alison";
  await session.save();
}
// Next.js Route Handlers (App Router)
import { cookies } from 'next/headers';
import { getIronSession } from 'iron-session';

export function GET() {
  const session = getIronSession(cookies(), { password: "...", cookieName: "..." });
}

export function POST() {
  const session = getIronSession(cookies(), { password: "...", cookieName: "..." });
  session.username = "Alison";
  await session.save();
}
// Next.js Server Components and Server Actions (App Router)
import { cookies } from 'next/headers';
import { getIronSession } from 'iron-session';

async function getIronSessionData() {
  const session = await getIronSession(cookies(), { password: "...", cookieName: "..." });
}

function Profile() {
  const session = await getIronSessionData();

  return <div>{session.username}</div>;
}

Examples

We have many different patterns and examples on the online demo, have a look: https://get-iron-session.vercel.app/.

Project status

βœ… Production ready and maintained.

Session options

Two options are required: password and cookieName. Everything else is automatically computed and usually doesn't need to be changed.****

  • password, required: Private key used to encrypt the cookie. It has to be at least 32 characters long. Use https://1password.com/password-generator/ to generate strong passwords. password can be either a string or an array of objects like this: [{id: 2, password: "..."}, {id: 1, password: "..."}] to allow for password rotation.

  • cookieName, required: Name of the cookie to be stored

  • ttl, optional: In seconds. Default to the equivalent of 14 days. You can set this to 0 and iron-session will compute the maximum allowed value by cookies.

  • cookieOptions, optional: Any option available from jshttp/cookie#serialize except for encode which is not a Set-Cookie Attribute. See Mozilla Set-Cookie Attributes and Chrome Cookie Fields. Default to:

    {
  httpOnly: true,
  secure: true, // set this to false in local (non-HTTPS) development
  sameSite: "lax",// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#lax
  maxAge: (ttl === 0 ? 2147483647 : ttl) - 60, // Expire cookie before the session expires.
  path: "/",
}

API

getIronSession<T>(req, res, sessionOptions): Promise<IronSession<T>>

const session = getIronSession<SessionData>(req, res, sessionOptions);

getIronSession<T>(cookieStore, sessionOptions): Promise<IronSession<T>>

const session = getIronSession<SessionData>(cookies(), sessionOptions);

session.save(): Promise<void>

Saves the session. This is an asynchronous operation. It must be done and awaited before headers are sent to the client.

await session.save()

session.destroy(): void

Destroys the session. This is a synchronous operation as it only removes the cookie. It must be done before headers are sent to the client.

session.destroy()

session.updateConfig(sessionOptions: SessionOptions): void

Updates the configuration of the session with new session options. You still need to call save() if you want them to be applied.

sealData(data: unknown, { password, ttl }): Promise<string>

This is the underlying method and seal mechanism that powers iron-session. You can use it to seal any data you want and pass it around. One usecase are magic links: you generate a seal that contains a user id to login and send it to a route on your website (like /magic-login). Once received, you can safely decode the seal with unsealData and log the user in.

unsealData<T>(seal: string, { password, ttl }): Promise<T>

This is the opposite of sealData and allow you to decode a seal to get the original data back.

FAQ

Why use pure cookies for sessions?

This makes your sessions stateless: since the data is passed around in cookies, you do not need any server or service to store session data.

More information can also be found on the Ruby On Rails website which uses the same technique.

How to invalidate sessions?

Sessions cannot be instantly invalidated (or "disconnect this customer") as there is typically no state stored about sessions on the server by default. However, in most applications, the first step upon receiving an authenticated request is to validate the user and their permissions in the database. So, to easily disconnect customers (or invalidate sessions), you can add an `isBlocked`` state in the database and create a UI to block customers.

Then, every time a request is received that involves reading or altering sensitive data, make sure to check this flag.

Can I use something else than cookies?

Yes, we expose sealData and unsealData which are not tied to cookies. This way you can seal and unseal any object in your application and move seals around to login users.

How is this different from JWT?

Not so much:

  • JWT is a standard, it stores metadata in the JWT token themselves to ensure communication between different systems is flawless.
  • JWT tokens are not encrypted, the payload is visible by customers if they manage to inspect the seal. You would have to use JWE to achieve the same.
  • @hapi/iron mechanism is not a standard, it's a way to sign and encrypt data into seals

Depending on your own needs and preferences, iron-session may or may not fit you.

Credits

Good Reads

About

πŸ›  Secure, stateless, and cookie-based session library for JavaScript

get-iron-session.vercel.app

Topics

nodejs authentication serverless nextjs cookies expressjs session stateless

Resources

Readme

License

MIT license
Activity

Stars

3.3k stars

Watchers

14 watching

Forks

247 forks
Report repository

Releases 34

8.0.1 Latest
Nov 21, 2023
+ 33 releases

Sponsor this project

  •  
  •  
Learn more about GitHub Sponsors

Used by 6k

  • @denis-shemenko
  • @ironquillo24
  • @AtHeartEngineering
  • @bestgoogoo
  • @Cookiesaurus
  • @AcePatterson
  • @dTrials
  • @ErikColacios
+ 6,041

Contributors 42

+ 28 contributors

Languages