aiohttp-session 1.0.0

Usage

The library allows to store user-specific data into session object.

The session object has dict-like interface (operations like session[key] = value, value = session[key] etc. are present).

Before processing session in web-handler you have to register session middleware in aiohttp.web.Application.

A trivial usage example:

import asyncio
import time
import base64
from cryptography import fernet
from aiohttp import web
from aiohttp_session import setup, get_session, session_middleware
from aiohttp_session.cookie_storage import EncryptedCookieStorage

async def handler(request):
    session = await get_session(request)
    last_visit = session['last_visit'] if 'last_visit' in session else None
    text = 'Last visited: {}'.format(last_visit)
    return web.Response(body=text.encode('utf-8'))

def make_app():
    app = web.Application()
    # secret_key must be 32 url-safe base64-encoded bytes
    fernet_key = fernet.Fernet.generate_key()
    secret_key = base64.urlsafe_b64decode(fernet_key)
    setup(app, EncryptedCookieStorage(secret_key))
    app.router.add_route('GET', '/', handler)
    return app

web.run_app(make_app())

All storages uses HTTP Cookie named AIOHTTP_COOKIE_SESSION for storing data.

Available session storages are:

• aiohttp_session.SimpleCookieStorage() – keeps session data as plain JSON string in cookie body. Use the storage only for testing purposes, it’s very non-secure.

• aiohttp_session.cookie_storage.EncryptedCookieStorage(secret_key) – stores session data into cookies as SimpleCookieStorage but encodes it via AES cipher. secrect_key is a bytes key for AES encryption/decryption, the length should be 32 bytes.

  Requires cryptography library:

  $ pip install aiohttp_session[secure]

• aiohttp_session.redis_storage.RedisStorage(redis_pool) – stores JSON-ed data in redis, keeping only the redis key (random UUID) in the cookie. redis_pool is aioredis pool object, created by yield from aioredis.create_pool(...) call.

  Requires aioredis library:

  $ pip install aiohttp_session[aioredis]

License

aiohttp_session is offered under the Apache 2 license.

1.0.0 (2017-07-27)

• Catch decoder exception in RedisStorage on data load #175

• Specify domain and path on cookie deletion #171

0.8.0 (2016-12-04)

• Use time.time() instead of time.monotonic() for absolute times #81

0.7.0 (2016-09-24)

• Fix tests to be compatible with aiohttp upstream API for client cookies

0.6.0 (2016-09-08)

• Add expires field automatically to support older browsers #43

• Respect session.max_age in redis storage #45

• Always pass default max_age from storage into session #45

0.5.0 (2016-02-21)

• Handle cryptography.fernet.InvalidToken exception by providing an empty session #29

0.4.0 (2016-01-06)

• Add optional NaCl encrypted storage #20

• Relax EncryptedCookieStorage to accept base64 encoded string, e.g. generated by Fernet.generate_key.

• Add setup() function

• Save the session even on exception in the middleware chain

0.3.0 (2015-11-20)

• Reflect aiohttp changes: minimum required Python version is 3.4.1

• Use explicit ‘aiohttp_session’ package

0.2.0 (2015-09-07)

• Add session.created property #14

• Replaced PyCrypto with crypthography library #16

0.1.2 (2015-08-07)

• Add manifest file #15

0.1.1 (2015-04-20)

• Fix #7: stop cookie name growing each time session is saved

0.1.0 (2015-04-13)

• First public release