Introduction
Session management across multiple servers — use Redis as centralized storage so any server can access the same session. Let Claude Code design distributed sessions.
CLAUDE.md Rules
## Session Management Rules
- Redis: shared across all servers (MemoryStore forbidden in prod)
- Session ID: crypto.randomBytes(32)+
- Cookie: httpOnly, secure, sameSite=strict
- Session fixation prevention: regenerate on login
- Idle timeout: 30min + absolute 24h
Generated Implementation
// src/session/config.ts
const store = new RedisStore({
client: redis,
prefix: 'sess:',
ttl: 30 * 60,
disableTouch: false,
});
export const sessionMiddleware = session({
store,
secret: process.env.SESSION_SECRET!,
resave: false,
saveUninitialized: false,
rolling: true,
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge: 24 * 60 * 60 * 1000,
},
});
// Session fixation prevention
export async function createUserSession(req: Request, userId: string) {
// Destroy old session ID, generate new one
await new Promise<void>((resolve, reject) => {
req.session.regenerate((err) => err ? reject(err) : resolve());
});
req.session.userId = userId;
req.session.absoluteExpiry = Date.now() + 24 * 60 * 60 * 1000;
// Track active sessions per user
await redis.sadd(`user:sessions:${userId}`, req.session.id);
}
// Force logout all devices
export async function destroyAllSessions(userId: string) {
const sessionIds = await redis.smembers(`user:sessions:${userId}`);
const pipeline = redis.pipeline();
for (const id of sessionIds) pipeline.del(`sess:${id}`);
pipeline.del(`user:sessions:${userId}`);
await pipeline.exec();
return sessionIds.length;
}
Summary
- RedisStore for distributed session across all servers
- session.regenerate() on login prevents session fixation
- user:sessions:{id} Redis Set tracks all active sessions
- Absolute 24h expiry even with rolling cookies
Review with **Security Pack (¥1,480)* /security-check at prompt-works.jp*
myouga (@myougatheaxo) — Axolotl VTuber.
Top comments (0)