Advanced sessions for Starlette and FastAPI frameworks
Install starsessions
using PIP or poetry:
pip install starsessions
# or
poetry add starsessions
Use redis
extra for Redis support.
See example application in examples/
directory of this repository.
- Add
starsessions.SessionMiddleware
to your application to enable session support, - Configure session store and pass it to the middleware,
- Load session in your view/middleware using
load_session
utility.
from starlette.applications import Starlette
from starlette.middleware import Middleware
from starlette.responses import JSONResponse
from starlette.routing import Route
from starsessions import CookieStore, load_session, SessionMiddleware
async def index_view(request):
await load_session(request)
session_data = request.session
return JSONResponse(session_data)
session_store = CookieStore(secret_key='TOP SECRET')
app = Starlette(
middleware=[
Middleware(SessionMiddleware, store=session_store, lifetime=3600 * 24 * 14),
],
routes=[
Route('/', index_view),
]
)
By default, the middleware uses strict defaults.
The cookie lifetime is limited to the browser session and send via HTTPS protocol only.
You can change these defaults by changing cookie_https_only
and lifetime
arguments:
from starlette.middleware import Middleware
from starsessions import CookieStore, SessionMiddleware
session_store = CookieStore(secret_key='TOP SECRET')
middleware = [
Middleware(SessionMiddleware, store=session_store, cookie_https_only=False, lifetime=3600 * 24 * 14),
]
The example above will let session usage over insecure HTTP transport and the session lifetime will be set to 14 days.
For performance reasons session is not autoloaded by default. Sometimes it is annoying to call load_session
too often.
We provide SessionAutoloadMiddleware
to reduce amount of boilerplate code by autoloading session for you.
There are two options: always autoload or autoload for specific paths only. Here are examples:
from starlette.middleware import Middleware
from starsessions import CookieStore, SessionAutoloadMiddleware, SessionMiddleware
session_store = CookieStore(secret_key='TOP SECRET')
# Always autoload
middleware = [
Middleware(SessionMiddleware, store=session_store),
Middleware(SessionAutoloadMiddleware),
]
# Autoload session for selected paths
middleware = [
Middleware(SessionMiddleware, store=session_store),
Middleware(SessionAutoloadMiddleware, paths=['/admin', '/app']),
]
# regex patterns also supported
import re
admin_rx = re.compile('/admin*')
middleware = [
Middleware(SessionMiddleware, store=session_store),
Middleware(SessionAutoloadMiddleware, paths=[admin_rx]),
]
The default behavior of SessionMiddleware
is to expire cookie after lifetime
seconds after it was set.
For example, if you create a session with lifetime=3600
then the session will be terminated exactly in 3600 seconds.
Sometimes this may not be what you need, so we provide alternate expiration strategy - rolling sessions.
When rolling sessions in use, the cookie expiration time will be extended by lifetime
value on every response.
Let's see how it works on example. First, on the first response you create a new session with lifetime=3600
,
then user does another request and session gets extended by another 3600 seconds and so on.
This approach is useful when you want to have short-timed sessions but don't want them to interrupt in the middle of
user's operation. With rolling strategy, session cookie will be expired only after some period of user's inactivity.
To enable rolling strategy set rolling=True
.
from starlette.middleware import Middleware
from starsessions import SessionMiddleware
middleware = [
Middleware(SessionMiddleware, lifetime=300, rolling=True),
]
The snippet above demonstrates an example setup where session will be dropped after 300 seconds (5 minutes) of inactivity, but will be automatically extended by another 5 minutes while the user is online.
You can pass cookie_path
argument to bind session cookie to specific URLs. For example, to activate session cookie
only for admin area, use cookie_path="/admin"
middleware argument.
from starlette.middleware import Middleware
from starsessions import SessionMiddleware
middleware = [
Middleware(SessionMiddleware, cookie_path='/admin'),
]
All other URLs not matching value of cookie_path
will not receive cookie thus session will be unavailable.
You can also specify which hosts can receive a cookie by passing cookie_domain
argument to the middleware.
from starlette.middleware import Middleware
from starsessions import SessionMiddleware
middleware = [
Middleware(SessionMiddleware, cookie_domain='example.com'),
]
Note, this makes session cookie available for subdomains too. For example, when you set
cookie_domain=example.com
then session cookie will be available on subdomains likeapp.example.com
.
If you want session cookie to automatically remove from tbe browser when tab closes then set lifetime
to 0
.
Note, this depends on browser implementation!
from starlette.middleware import Middleware
from starsessions import SessionMiddleware
middleware = [
Middleware(SessionMiddleware, lifetime=0),
]
Class: starsessions.InMemoryStore
Simply stores data in memory. The data is cleared after server restart. Mostly for use with unit tests.
Class: starsessions.CookieStore
Stores session data in a signed cookie on the client.
Class: starsessions.stores.redis.RedisStore
Stores session data in a Redis server. The store accepts either connection URL or an instance of aioredis.Redis
.
Requires aioredis, use
pip install starsessions[redis]
orpoetry add starsessions[redis]
import aioredis
from starsessions.stores.redis import RedisStore
store = RedisStore('redis://localhost')
# or
redis = aioredis.from_url('redis://localhost')
store = RedisStore(connection=redis)
By default, all keys in Redis prefixed with starsessions_
. If you want to change this use prefix
argument.
from starsessions.stores.redis import RedisStore
store = RedisStore(url='redis://localhost', prefix='my_sessions')
Prefix can be a callable:
from starsessions.stores.redis import RedisStore
def make_prefix(key: str) -> str:
return 'my_sessions_' + key
store = RedisStore(url='redis://localhost', prefix=make_prefix)
The library automatically manages key expiration
Creating new stores is quite simple. All you need is to extend starsessions.SessionStore
class and implement abstract methods.
Here is an example of how we can create a memory-based session store. Note, it is important that write
method
returns session ID as a string value.
from typing import Dict
from starsessions import SessionStore
# instance of class which manages session persistence
class InMemoryStore(SessionStore):
def __init__(self):
self._storage = {}
async def read(self, session_id: str, lifetime: int) -> Dict:
""" Read session data from a data source using session_id. """
return self._storage.get(session_id, {})
async def write(self, session_id: str, data: Dict, lifetime: int) -> str:
""" Write session data into data source and return session id. """
self._storage[session_id] = data
return session_id
async def remove(self, session_id: str):
""" Remove session data. """
del self._storage[session_id]
async def exists(self, session_id: str) -> bool:
return session_id in self._storage
Sometimes you cannot pass raw session data to the store. The data must be serialized into something the store can handle.
Some stores (like RedisStore
) optionally accept serializer
argument that will be used to serialize and
deserialize session data. By default, we provide (and use) starsessions.JsonSerializer
but you can implement your own
by extending starsessions.Serializer
class.
The middleware will remove session data and cookie if session has no data. Use request.session.clear
to empty data.
Sometimes you need a new session ID to avoid session fixation attacks (for example, after successful signs in).
For that, use starsessions.session.regenerate_session_id(connection)
utility.
from starsessions.session import regenerate_session_id
from starlette.responses import Response
def login(request):
regenerate_session_id(request)
return Response('successfully signed in')