session

The session extension provides cookie-based sessions with server-side file storage.

API

MethodDescription
session.start()Start or resume a session
session.get(key)Get a session value
session.set(key, value)Set a session value
session.destroy()Destroy the session

Basic Usage

session.start();

// Store data
session.set("user_id", 42);
session.set("username", "Alice");

// Retrieve data
const userId = session.get("user_id"); // 42
const username = session.get("username"); // "Alice"

// Non-existent keys return null
const missing = session.get("foo"); // null

Login Example

if (request.method === "POST") {
    const data = JSON.parse(request.body);
    const db = sqlite.open("/var/www/data/app.db");
    const user = db.queryOne("SELECT * FROM users WHERE email = ? AND password = ?",
        [data.email, crypto.sha256(data.password)]);
    db.close();

    if (user) {
        session.start();
        session.set("user_id", user.id);
        session.set("username", user.name);
        response.setStatus(200);
        print(JSON.stringify({ success: true }));
    } else {
        response.setStatus(401);
        print(JSON.stringify({ error: "Invalid credentials" }));
    }
}

Logout

session.start();
session.destroy();

Auth Guard

session.start();
if (!session.get("user_id")) {
    response.setStatus(302);
    response.setHeader("Location", "/login");
} else {
    print(`<h1>Welcome back, ${session.get("username")}!</h1>`);
}

How It Works

  • A JSCGI_SESSID cookie is set on the client
  • Session data is stored as JSON files on the server
  • Files are stored in /tmp/js-cgi_sessions/
  • The cookie is HttpOnly and SameSite=Strict by default
  • session.start() must be called before get() or set()
Was this page helpful?