Skip to Content
@exortek/sessionOverview

@exortek/session

Sealed-cookie session manager for Node.js — rotation, revocation, sudo mode, impersonation, concurrent limits, fingerprint binding, device labels, session events, Redis distributed revocation, CSRF derivation, trusted-device cookies, and adapters for Fastify, Express, Hono, and Elysia. Built on @exortek/crypto.

Quick tour

import { createSessionManager } from '@exortek/session'; const sessions = createSessionManager({ secret: process.env.SESSION_SECRET, ttl: '7d', idleTtl: '30m', }); // Login const { cookie } = await sessions.issue({ userId: user.id, claims: { roles: ['admin'] }, }); res.setHeader('Set-Cookie', cookie); // Middleware const session = await sessions.verify(req); if (!session) return unauthorized(); // Password-change flow — sign out every other device await sessions.revokeAllExceptCurrent(req); // Sensitive endpoint — sudo mode if (!(await sessions.requireFreshAuth(req, { maxAgeSeconds: 300 }))) { return res.redirect('/reauth'); } // Logout const { cookie: bye } = await sessions.revoke(req); res.setHeader('Set-Cookie', bye);

Package layout

SubpathWhat it exports
@exortek/sessioncreateSessionManager, sessionStore.memory, CSRF helpers
@exortek/session/stores/redisRedis session store + pub/sub distributed revocation
@exortek/session/trusted-deviceLong-lived “remember this device” cookie for 2FA skip
@exortek/session/fastifyFastify plugin
@exortek/session/expressExpress middleware
@exortek/session/honoHono middleware
@exortek/session/elysiaElysia plugin

Features (opt-in via config flags)

  • anonymous: true — guest sessions with userId: null; promote via sessions.upgrade()
  • concurrentLimit: 3 — max sessions per user; oldest kicked
  • bindTo: ['ip', 'ua'] + bindStrictness: 'soft' — fingerprint binding with mobile-friendly mode
  • impersonation: true + impersonationTtl: '15m' — admin-as-user with a short TTL and full audit trail
  • deviceLabels: true — auto-generated iPhone 14 · Chrome
  • events: { onIssue, onVerify, onRotate, onRevoke, onDeny, onSuspicious } — audit callbacks
  • suspiciousActivity: true — IP + UA change flagging
  • touchEvery: '1m' — cut store write traffic on hot login endpoints
  • store: redisStore(...) — Redis session store with pub/sub distributed revocation

Where to next

  • config — every option, every default, every knob
  • cookbook — login flow, password change, guest checkout, 2FA + trusted device, admin impersonation, silent secret rotation
  • README on GitHub  — the complete API reference and error codes

Compliance impact — enabling @exortek/session moves the following OWASP ASVS V3 rows from 🟡 to ✅ on the compliance page: V3.2, V3.4, V3.5, V3.7.

Last updated on