Security

Session Management

v1.2.4

Manage user state across requests with a powerful, driver-based session system. CanxJS v1.2.4 introduces robust Database and Redis drivers for production-ready session handling.

Multiple Drivers

Support for Database, Redis, File, and Memory stores

Secure by Default

HttpOnly cookies, CSRF protection, and encryption

Flash Data

Store temporary data for the very next request

Typed API

Type-safe session interface for better DX

Configuration

Configure your session driver in config/session.ts. By default,database driver is recommended for production.

config/session.ts

1// config/session.ts
2export const sessionConfig = {
3  // Supported drivers: "memory", "database", "file", "redis"
4  driver: process.env.SESSION_DRIVER || "database",
5  
6  // Session lifetime in seconds (default: 2 hours)
7  lifetime: 120 * 60,
8  
9  // Cookie name
10  cookie: "canx_session",
11  
12  // Database table name (for database driver)
13  table: "sessions",
14};

Database Driver Setup

To use the database driver, you must create a migration for the sessions table.

database/migrations/create_sessions_table.ts

1import { Migration, Schema } from "canxjs";
2
3export class CreateSessionsTable extends Migration {
4  async up() {
5    await Schema.create("sessions", (table) => {
6      table.string("id").primary();
7      table.foreignId("user_id").nullable().index();
8      table.string("ip_address", 45).nullable();
9      table.text("user_agent").nullable();
10      table.text("payload");
11      table.integer("last_activity").index();
12    });
13  }
14
15  async down() {
16    await Schema.drop("sessions");
17  }
18}

Usage

Access the session instance via the request object req.session.

controllers/AuthController.ts

1// In a controller or route handler
2export const login = async (req, res) => {
3  // Store data in session
4  req.session.put("user_id", user.id);
5  req.session.put("role", "admin");
6  
7  // Flash messages (available only on next request)
8  req.session.flash("success", "Welcome back!");
9  
10  return res.redirect("/dashboard");
11};
12
13export const dashboard = async (req, res) => {
14  // Retrieve data
15  const userId = req.session.get("user_id");
16  const message = req.session.get("success"); // Flash message
17  
18  // Remove data
19  req.session.forget("key");
20  
21  // Clear entire session
22  req.session.flush();
23};

Next Steps

Secure your application with comprehensive authentication features.