session

fn generate_session_id() !string

Generate a cryptographically secure session ID Returns 64-character hex string (32 bytes random)

fn new_postgres_store(config Config, mut db database.DB) !PostgresStore

Create a new PostgreSQL store (v0.3.0: PostgreSQL-only)

fn new_session(max_age int) !Session

Create a new session with secure random ID

interface SessionStore {
mut:
	// Save session to storage
	save(session Session) !

	// Load session from storage by ID
	load(id string) !Session

	// Delete session from storage
	delete(id string) !

	// Cleanup expired sessions (for server-side storage)
	cleanup() !
}

SessionStore defines the interface for session storage backends v0.3.0: PostgreSQL-only (CookieStore removed) Implementations: PostgresStore (future: RedisStore)

enum SameSite {
	lax
	strict
	none
}

v0.3.0: PostgreSQL-only sessions (cookie storage removed) SameSite cookie attribute for CSRF protection

struct Config {
pub:
	cookie_name string = 'varel_session' // Session cookie name (stores session ID only)
	max_age     int    = 86400           // Session lifetime in seconds (default: 24 hours)
	http_only   bool   = true            // HttpOnly flag (prevent JS access)
	secure      bool // Secure flag (HTTPS only) - auto-detect if not set
	same_site   SameSite = .strict // SameSite attribute
	domain      string // Cookie domain (optional)
	path        string = '/' // Cookie path
	db_conn     voidptr // Database connection (required)
}

SessionConfig configures PostgreSQL session behavior (v0.3.0)

fn (c &Config) validate() !

Validate configuration (v0.3.0: PostgreSQL-only)

struct PostgresStore {
	config Config
mut:
	db &database.DB
}

PostgresStore stores sessions in PostgreSQL database (v0.3.0: JSONB storage) Good for: Apps with database, unlimited session size, survives restarts Requires: PostgreSQL connection, sessions table with JSONB data column

fn (mut ps PostgresStore) save(sess Session) !

Save session to database (v0.3.0: JSONB storage, updated_at auto-updated by trigger)

fn (mut ps PostgresStore) load(id string) !Session

Load session from database by ID (v0.3.0: includes updated_at)

fn (mut ps PostgresStore) delete(id string) !

Delete session from database

fn (mut ps PostgresStore) cleanup() !

Cleanup expired sessions from database Should be called periodically (e.g., via cron job or middleware)

fn (mut ps PostgresStore) get_user_sessions(user_id int) ![]Session

Get all sessions for a user (useful for "logout all devices") (v0.3.0: includes updated_at)

fn (mut ps PostgresStore) delete_user_sessions(user_id int) !

Delete all sessions for a user (logout all devices)

struct Session {
pub mut:
	id         string            // 64-char hex session ID (32 bytes random)
	data       map[string]string // Session data (key-value pairs)
	user_id    ?int              // User ID if authenticated
	created_at time.Time         // Session creation time
	expires_at time.Time         // Session expiration time
	updated_at time.Time         // Last modification time (auto-updated by PostgreSQL trigger)
	is_saved   bool              // True if session exists in database, false if needs saving
}

Session represents a user session with data and metadata

fn (s &Session) get(key string) ?string

Get value from session data

fn (mut s Session) set(key string, value string)

Set value in session data

fn (mut s Session) delete(key string)

Delete value from session data

fn (mut s Session) clear()

Clear all session data

fn (s &Session) is_expired() bool

Check if session has expired

fn (mut s Session) regenerate_id() !

Regenerate session ID (for security after login)

fn (mut s Session) set_user(user_id int)

Set authenticated user

fn (mut s Session) clear_user()

Clear authenticated user

fn (s &Session) is_authenticated() bool

Check if session has an authenticated user