@exortek/session
Sealed-cookie session manager for Node.js — rotation, revocation, sudo
mode, impersonation, concurrent limits, fingerprint binding, device
labels, session events, Redis distributed revocation, CSRF derivation,
trusted-device cookies, and adapters for Fastify, Express, Hono, and
Elysia. Built on @exortek/crypto.
Quick tour
import { createSessionManager } from '@exortek/session';
const sessions = createSessionManager({
secret: process.env.SESSION_SECRET,
ttl: '7d',
idleTtl: '30m',
});
// Login
const { cookie } = await sessions.issue({
userId: user.id,
claims: { roles: ['admin'] },
});
res.setHeader('Set-Cookie', cookie);
// Middleware
const session = await sessions.verify(req);
if (!session) return unauthorized();
// Password-change flow — sign out every other device
await sessions.revokeAllExceptCurrent(req);
// Sensitive endpoint — sudo mode
if (!(await sessions.requireFreshAuth(req, { maxAgeSeconds: 300 }))) {
return res.redirect('/reauth');
}
// Logout
const { cookie: bye } = await sessions.revoke(req);
res.setHeader('Set-Cookie', bye);Package layout
| Subpath | What it exports |
|---|---|
@exortek/session | createSessionManager, sessionStore.memory, CSRF helpers |
@exortek/session/stores/redis | Redis session store + pub/sub distributed revocation |
@exortek/session/trusted-device | Long-lived “remember this device” cookie for 2FA skip |
@exortek/session/fastify | Fastify plugin |
@exortek/session/express | Express middleware |
@exortek/session/hono | Hono middleware |
@exortek/session/elysia | Elysia plugin |
Features (opt-in via config flags)
anonymous: true— guest sessions withuserId: null; promote viasessions.upgrade()concurrentLimit: 3— max sessions per user; oldest kickedbindTo: ['ip', 'ua']+bindStrictness: 'soft'— fingerprint binding with mobile-friendly modeimpersonation: true+impersonationTtl: '15m'— admin-as-user with a short TTL and full audit traildeviceLabels: true— auto-generatediPhone 14 · Chromeevents: { onIssue, onVerify, onRotate, onRevoke, onDeny, onSuspicious }— audit callbackssuspiciousActivity: true— IP + UA change flaggingtouchEvery: '1m'— cut store write traffic on hot login endpointsstore: redisStore(...)— Redis session store with pub/sub distributed revocation
Where to next
- config — every option, every default, every knob
- cookbook — login flow, password change, guest checkout, 2FA + trusted device, admin impersonation, silent secret rotation
- README on GitHub — the complete API reference and error codes
Compliance impact — enabling @exortek/session moves the following
OWASP ASVS V3 rows from 🟡 to ✅ on the
compliance page: V3.2, V3.4, V3.5, V3.7.
Last updated on