redis-sesh

Hard to say; easy to use.

redis-sesh is a redis based session store which is pretty much as simple as possible. Probably too simple.

API:

{
   set: function(id, callback){},
   get: function(session, callback){},
   liv: function(session, callback){},
   die: function(session, callback){}
}

To use:

Make sure you have node, npm and redis.

npm install redis-sesh --save --save-exact (You do use --save-exact, right?)

var redis = request("redis"); // don't forget to run: `npm install redis --save --save-exact`
// `createClient` takes some options. Make sure you configure it to actually work for your setup.
var redisClient = redis.createClient();

var RedisSesh = request("redis-sesh");
var ttl = 86400; // The ttl argument is optional. Leave it off (or set to 0) for never-expiring sessions *
var sesh = new RedisSesh(redisClient, "sesh", ttl);

var id = 1337; // this is the thing you want to 
sesh.set(id, function(err, sessionId){
    if(err){/*always make sure you handle your errors, folks*/}
    console.log("Look at my session id: %s!, sessionId);
});

var sessionId = "some session id previously generated by redis-sesh";

// get the "id" for the sessionId
sesh.get(sessionId, function(err, userId){
    if(err){/*...*/}
    console.log("Look at my user id: %s!, userId);
});

// make the session last longer (resets expiration to the ttl value):
sesh.liv(sessionId, function(err){
    if(err){/*...*/}
    console.log("Um, it's done I guess");
});

// This kills the crab, er, session.
sesh.die(sessionId, function(err){
    if(err){/*...*/}
    console.log("The session should be gone now");
});

But are the session ids secure?

It generates 32 bytes of cryptographically random data for the session and converts it to base64. That's 3 nonillion possible combinations, or 3 thousand billion billion billion.

It basically does something like this: crypto.randomBytes(32).toString("base64");. Ok, not basically, that's what it does.

Additionally, redis-sesh checks for session id collisions (via setnx) and recomputes a new session id automatically if a collision is found (there is still a chance a session id could have expired but the user still has it, then redis-sesh creates an idential session id, and the old user then visits again. But there is also a chance that you'll get hit by a duck made of pure gold that has the winning lottery numbers engraved on it's beak, but I digress).

Something to know:

redis-sesh doesn't validate anything you pass to it. It won't (de)serialize anything for you. It won't even check if you supplied a callback function or not.

• well, never-expiring if you use redis persistence