Skill

session-management

Implements secure session management using JWT tokens, Redis storage, refresh flows, and secure cookies in Node.js/Express apps. Use for authentication systems, user sessions, and logout.

Javascript

Node

Install

npx claudepluginhub secondsky/claude-skills --plugin session-management

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Implement secure session management with proper token handling and storage.

SKILL.md

Similar Skills

memory-forensics

Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.

reverse-engineering

33.0k

binary-analysis-patterns

Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.

reverse-engineering

33.0k

anti-reversing-techniques

1 file

Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.

reverse-engineering

33.0k

Stats

Parent Repo Stars99

Parent Repo Forks12

Last CommitApr 2, 2026

Actions

View Source View Plugin View on GitHub View README

Session Management

Implement secure session management with proper token handling and storage.

Token-Based Sessions

const jwt = require('jsonwebtoken');

function generateTokens(user) {
  const accessToken = jwt.sign(
    { userId: user.id, role: user.role, type: 'access' },
    process.env.JWT_SECRET,
    { expiresIn: '1h' }
  );

  const refreshToken = jwt.sign(
    { userId: user.id, type: 'refresh' },
    process.env.REFRESH_SECRET,
    { expiresIn: '7d' }
  );

  return { accessToken, refreshToken };
}

Redis Session Storage

const redis = require('redis');
const client = redis.createClient();

class SessionStore {
  async create(userId, sessionData) {
    const sessionId = crypto.randomUUID();
    await client.hSet(`sessions:${userId}`, sessionId, JSON.stringify({
      ...sessionData,
      createdAt: Date.now()
    }));
    await client.expire(`sessions:${userId}`, 86400 * 7);
    return sessionId;
  }

  async invalidateAll(userId) {
    await client.del(`sessions:${userId}`);
  }
}

Cookie Configuration

app.use(session({
  name: 'session',
  secret: process.env.SESSION_SECRET,
  cookie: {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'strict',
    maxAge: 3600000, // 1 hour
    domain: '.example.com'
  },
  resave: false,
  saveUninitialized: false
}));

Token Refresh Flow

app.post('/auth/refresh', async (req, res) => {
  const { refreshToken } = req.cookies;

  try {
    const payload = jwt.verify(refreshToken, process.env.REFRESH_SECRET);
    if (payload.type !== 'refresh') throw new Error('Invalid token type');

    const user = await User.findById(payload.userId);
    const tokens = generateTokens(user);

    res.cookie('accessToken', tokens.accessToken, cookieOptions);
    res.json({ success: true });
  } catch (err) {
    res.status(401).json({ error: 'Invalid refresh token' });
  }
});

Security Requirements

Use HTTPS exclusively
Set httpOnly and sameSite on cookies
Implement proper token expiration
Use strong, unique secrets per environment
Validate signatures on every request

Never Do

Store sensitive data in tokens
Transmit tokens via URL parameters
Use weak or shared secrets
Skip signature validation