Cookie Sessions for RedHttpServer

July 19, 2021 · View on GitHub

The RedHttp project is no longer maintained. See Carter for a similar low-ceremony experience.

Simple session management middleware for Red.

Dependent repos (via libraries.io)

SessionStores already available:

Entity Framework Core
Redis
LiteDB
SQLite

Usage

After installing and referencing this library, the Red.Response has the extension methods OpenSession(TSession session), RenewSession(TSession session) and CloseSession(TSession session)

Example

class MySession : CookieSessionBase
{
    public string Username;
}
...

var server = new RedHttpServer(5000, "public");

server.Use(new CookieSessions<MySession>(TimeSpan.FromDays(5)));


async Task Auth(Request req, Response res)
{
	if (req.GetSession<MySession>() == null)
	{
		await res.SendStatus(HttpStatusCode.Unauthorized);
	}
}

server.Get("/", Auth, async (req, res) =>
{
    var session = req.GetSession<MySession>();
    await res.SendString($"Hi {session.Username}");
});

server.Get("/login", async (req, res) =>
{
    // To make it easy to test the session system only using the browser and no credentials
    // Would most likely be a POST-request in the real world
    await res.OpenSession(new MySession { Username = "benny" });
    await res.SendStatus(HttpStatusCode.OK);
});

server.Get("/logout", Auth, async (req, res) =>
{
    var session = req.GetData<MySession>();
    await res.CloseSession(session);
    await res.SendStatus(HttpStatusCode.OK);
});
await server.RunAsync();

OpenSession will open a new session and attach a Set-Cookie header to the associated response. This header's value contains the token used for authentication. The token is generated using the RandomNumberGenerator from System.Security.Cryptography, so it shouldn't be too easy to "guess" other tokens, even with knowledge of some tokens.