🇺🇸English

Session Management

Table of Contents

• Overview
• When to Use
• Quick Start
• Reference Guides
• Best Practices

Overview

Implement comprehensive session management systems with secure token handling, session persistence, token refresh mechanisms, proper logout procedures, and CSRF protection across different backend frameworks.

When to Use

• Implementing user authentication systems
• Managing session state and user context
• Handling JWT token refresh cycles
• Implementing logout functionality
• Protecting against CSRF attacks
• Managing session expiration and cleanup

Quick Start

Minimal working example:

# Python/Flask Example
from flask import current_app
from datetime import datetime, timedelta
import jwt
import os

class TokenManager:
    def __init__(self, secret_key=None):
        self.secret_key = secret_key or os.getenv('JWT_SECRET')
        self.algorithm = 'HS256'
        self.access_token_expires_hours = 1
        self.refresh_token_expires_days = 7

    def generate_tokens(self, user_id, email, role='user'):
        """Generate both access and refresh tokens"""
        now = datetime.utcnow()

        # Access token
        access_payload = {
            'user_id': user_id,
            'email': email,
            'role': role,
            'type': 'access',
            'iat': now,
            'exp': now + timedelta(hours=self.access_token_expires_hours)
// ... (see reference guides for full implementation)

Reference Guides

Detailed implementations in the references/ directory:

Best Practices

✅ DO

• Use HTTPS for all session transmission
• Implement secure cookies (httpOnly, sameSite, secure flags)
• Use JWT with proper expiration times
• Implement token refresh mechanism
• Store refresh tokens securely
• Validate tokens on every request
• Use strong secret keys
• Implement session timeout
• Log authentication events
• Clear session data on logout
• Use CSRF tokens for state-changing requests

❌ DON'T

• Store sensitive data in tokens
• Use short secret keys
• Transmit tokens in URLs
• Ignore token expiration
• Reuse token secrets across environments
• Store tokens in localStorage (use httpOnly cookies)
• Implement session without HTTPS
• Forget to validate token signatures
• Expose session IDs in logs
• Use predictable session IDs

Weekly Installs

116

Repository

aj-geddes/usefu…-prompts

GitHub Stars

116

First Seen

Jan 21, 2026

Security Audits

Gen Agent Trust HubPassSocketPassSnykPass

Installed on

opencode96

gemini-cli92

codex91

claude-code90

cursor84

github-copilot78