Expand description
Database-backed sessions keyed by a 256-bit OS-random token.
Sessions are never kept in memory. Every validation goes through the DB so a compromised or logged-out session is immediately invalid everywhere.
Functions§
- create
- Create a new session for a user and persist it. The returned token is the cookie value the browser should receive.
- delete
- Delete a session. Logout path. Idempotent — deleting a non-existent session is not an error.
- find_
valid - Look up a session by token. Returns
Noneif the token doesn’t exist or the session has expired. Expiration is checked on every call — the DB expiry column is the source of truth. - sweep_
expired - Remove all expired sessions from the DB. Safe to call on a schedule; not called automatically in 0.4.0.