Stats

Actions

Tags

Help us improve

Share bugs, ideas, or general feedback.

session-management | session-management

Skill

session-management

From session-management

Implements secure session management using JWT tokens, Redis storage, refresh flows, and secure cookies in Node.js/Express apps. Use for authentication systems, user sessions, and logout.

$

npx claudepluginhub secondsky/claude-skills --plugin session-management

Popularity

Parent stars

149

Parent forks

23

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/session-management:session-management

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

Implement secure session management with proper token handling and storage.

SKILL.md

109 lines · ~651 tokens

Similar Skills

session-management

13

Implement secure session handling with proper token generation, storage, expiry, CSRF protection, and session invalidation.

secure-development

design-session-management

10

Implements secure session management with cryptographically random tokens, HttpOnly/Secure/SameSite cookies, and timeout enforcement to prevent hijacking and fixation.

Session Management

14

Guides session token generation, cookie security configuration, timeout policies, and revocation to prevent hijacking and fixation attacks.

1 file

Stats

LanguageTypeScript

Parent stars149

Parent forks23

MaintenanceGood

Last CommitApr 2, 2026

Actions

View Source View Plugin View on GitHub View README

Tags

session-management

Help us improve

Share bugs, ideas, or general feedback.

Session Management

Implement secure session management with proper token handling and storage.

Token-Based Sessions

const jwt = require('jsonwebtoken');

function generateTokens(user) {
  const accessToken = jwt.sign(
    { userId: user.id, role: user.role, type: 'access' },
    process.env.JWT_SECRET,
    { expiresIn: '1h' }
  );

  const refreshToken = jwt.sign(
    { userId: user.id, type: 'refresh' },
    process.env.REFRESH_SECRET,
    { expiresIn: '7d' }
  );

  return { accessToken, refreshToken };
}

Redis Session Storage

const redis = require('redis');
const client = redis.createClient();

class SessionStore {
  async create(userId, sessionData) {
    const sessionId = crypto.randomUUID();
    await client.hSet(`sessions:${userId}`, sessionId, JSON.stringify({
      ...sessionData,
      createdAt: Date.now()
    }));
    await client.expire(`sessions:${userId}`, 86400 * 7);
    return sessionId;
  }

  async invalidateAll(userId) {
    await client.del(`sessions:${userId}`);
  }
}

Cookie Configuration

app.use(session({
  name: 'session',
  secret: process.env.SESSION_SECRET,
  cookie: {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'strict',
    maxAge: 3600000, // 1 hour
    domain: '.example.com'
  },
  resave: false,
  saveUninitialized: false
}));

Token Refresh Flow

app.post('/auth/refresh', async (req, res) => {
  const { refreshToken } = req.cookies;

  try {
    const payload = jwt.verify(refreshToken, process.env.REFRESH_SECRET);
    if (payload.type !== 'refresh') throw new Error('Invalid token type');

    const user = await User.findById(payload.userId);
    const tokens = generateTokens(user);

    res.cookie('accessToken', tokens.accessToken, cookieOptions);
    res.json({ success: true });
  } catch (err) {
    res.status(401).json({ error: 'Invalid refresh token' });
  }
});

Security Requirements

Use HTTPS exclusively
Set httpOnly and sameSite on cookies
Implement proper token expiration
Use strong, unique secrets per environment
Validate signatures on every request

Never Do

Store sensitive data in tokens
Transmit tokens via URL parameters
Use weak or shared secrets
Skip signature validation