session-management | aj-geddes-useful-ai-prompts-4 | ClaudePluginHub

Skill

session-management

From aj-geddes-useful-ai-prompts-4

Implements secure session management with JWT tokens, session storage, token refresh, logout, and CSRF protection. Use for user authentication state, token lifecycle, and session security in backends.

Install

$

npx claudepluginhub joshuarweaver/cascade-code-languages-misc-1 --plugin aj-geddes-useful-ai-prompts-4

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- [Overview](#overview)

Supporting Assets

references/csrf-protection.mdreferences/jwt-token-generation-and-validation.mdreferences/nodejsexpress-jwt-implementation.mdreferences/session-cleanup-and-maintenance.mdreferences/session-middleware-chain.mdreferences/session-storage-with-redis.mdreferences/token-refresh-endpoint.mdscripts/security-checklist.sh

SKILL.md

Similar Skills

skill-lookup

Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.

159.9k

prompt-lookup

Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.

159.9k

next-compile

1 file

Checks Next.js compilation errors using a running Turbopack dev server after code edits. Fixes actionable issues before reporting complete. Replaces `next build`.

vercel-next-js-2

139.2k

Stats

Stars180

Forks28

Last CommitMar 3, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

session-management

csrf-protection

logout-handling

session-storage

Session Management

Table of Contents

Overview
When to Use
Quick Start
Reference Guides
Best Practices

Overview

Implement comprehensive session management systems with secure token handling, session persistence, token refresh mechanisms, proper logout procedures, and CSRF protection across different backend frameworks.

When to Use

Implementing user authentication systems
Managing session state and user context
Handling JWT token refresh cycles
Implementing logout functionality
Protecting against CSRF attacks
Managing session expiration and cleanup

Quick Start

Minimal working example:

# Python/Flask Example
from flask import current_app
from datetime import datetime, timedelta
import jwt
import os

class TokenManager:
    def __init__(self, secret_key=None):
        self.secret_key = secret_key or os.getenv('JWT_SECRET')
        self.algorithm = 'HS256'
        self.access_token_expires_hours = 1
        self.refresh_token_expires_days = 7

    def generate_tokens(self, user_id, email, role='user'):
        """Generate both access and refresh tokens"""
        now = datetime.utcnow()

        # Access token
        access_payload = {
            'user_id': user_id,
            'email': email,
            'role': role,
            'type': 'access',
            'iat': now,
            'exp': now + timedelta(hours=self.access_token_expires_hours)
// ... (see reference guides for full implementation)

Reference Guides

Detailed implementations in the references/ directory:

Guide	Contents
JWT Token Generation and Validation	JWT Token Generation and Validation
Node.js/Express JWT Implementation	Node.js/Express JWT Implementation
Session Storage with Redis	Session Storage with Redis
CSRF Protection	CSRF Protection
Session Middleware Chain	Session Middleware Chain
Token Refresh Endpoint	Token Refresh Endpoint
Session Cleanup and Maintenance	Session Cleanup and Maintenance

Best Practices

✅ DO

Use HTTPS for all session transmission
Implement secure cookies (httpOnly, sameSite, secure flags)
Use JWT with proper expiration times
Implement token refresh mechanism
Store refresh tokens securely
Validate tokens on every request
Use strong secret keys
Implement session timeout
Log authentication events
Clear session data on logout
Use CSRF tokens for state-changing requests

❌ DON'T

Store sensitive data in tokens
Use short secret keys
Transmit tokens in URLs
Ignore token expiration
Reuse token secrets across environments
Store tokens in localStorage (use httpOnly cookies)
Implement session without HTTPS
Forget to validate token signatures
Expose session IDs in logs
Use predictable session IDs