Configuration¶
When initializing a session interface, you have a number of optional arguments for configuring your session.
- domain (str, optional):
Optional domain which will be attached to the cookie. Defaults to None.
- expiry (int, optional):
Seconds until the session should expire. Defaults to 2592000 (30 days). Setting this to 0 or None will set the session as permanent.
- httponly (bool, optional):
Adds the httponly flag to the session cookie. Defaults to True.
- cookie_name (str, optional):
Name used for the client cookie. Defaults to “session”.
- prefix (str, optional):
Storage keys will take the format of prefix+<session_id>. Specify the prefix here.
- sessioncookie (bool, optional):
If enabled the browser will be instructed to delete the cookie when the browser is closed. This is done by omitting the max-age and expires headers when sending the cookie. The expiry configuration option will still be honored on the server side. This is option is disabled by default.
- samesite (str, optional):
One of ‘strict’ or ‘lax’. Defaults to None https://www.owasp.org/index.php/SameSite
- session_name (str, optional):
- Name of the session that will be accessible through the request.e.g. If
session_name
isalt_session
, it should be accessed like that:request.ctx.alt_session
e.g. And ifsession_name
is left to default, it should be accessed like that:request.ctx.session
Note
If you choose to build your application using more than one session object, make sure that they have different:
cookie_name
prefix
(Only if the two cookies share the same store)And obviously, different:
session_name
Example 1:
session_interface = InMemorySessionInterface(
domain='.example.com', expiry=0,
httponly=False, cookie_name="cookie", prefix="sessionprefix:", samesite="strict")
Will result in a session that:
Will be valid only on example.com.
Will never expire.
Will be accessible by Javascript.
Will be named “cookie” on the client.
Will be named “sessionprefix:<sid>” in the session store.
Will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link.
Example 2:
session_interface = InMemorySessionInterface(
domain='.example.com', expiry=3600, sessioncookie=True,
httponly=True, cookie_name="myapp", prefix="session:")
Will result in a session that:
Will be valid only on example.com.
Will expire on the server side after 1 hour.
Will be deleted on the client when the user closes the browser.
Will not be accessible by Javascript.
Will be named “myapp” on the client.
Will be named “session:<sid>” in the session store.