This plug will handle user authorization using session.

The plug will store user and session metadata in the cache store backend. The session metadata has at least an :inserted_at and a :fingerprint key. The :inserted_at value is used to determine if the session has to be renewed, and is set each time a session is created. The :fingerprint will be a random unique id and will stay the same if a session is renewed.

When a session is renewed the old session is deleted and a new created.

You can add additional metadata to sessions by setting or updated the assigned private :pow_session_metadata key in the conn. The value has to be a keyword list.

Example

plug Plug.Session,
  store: :cookie,
  key: "_my_app_demo_key",
  signing_salt: "secret"

plug Pow.Plug.Session,
  repo: MyApp.Repo,
  user: MyApp.User,
  current_user_assigns_key: :current_user,
  session_key: "auth",
  session_store: {Pow.Store.CredentialsCache,
                  ttl: :timer.minutes(30),
                  namespace: "credentials"},
  session_ttl_renewal: :timer.minutes(15),
  cache_store_backend: Pow.Store.Backend.EtsCache,
  users_context: Pow.Ecto.Users

Configuration options

• :session_key - session key name, defaults to "auth". If :otp_app is used it'll automatically prepend the key with the :otp_app value.

• :session_store - the credentials cache store. This value defaults to {Pow.Store.CredentialsCache, backend: Pow.Store.Backend.EtsCache}. The Pow.Store.Backend.EtsCache backend store can be changed with the :cache_store_backend option.

• :cache_store_backend - the backend cache store. This value defaults to Pow.Store.Backend.EtsCache.

• :session_ttl_renewal - the ttl in milliseconds to trigger renewal of sessions. Defaults to 15 minutes in miliseconds.

Custom metadata

The assigned private :pow_session_metadata key in the conn can be populated with custom metadata. This data will be stored in the session metadata when the session is created, and fetched in subsequent requests.

Here's an example of how one could add sign in timestamp, IP, and user agent information to the session metadata:

def append_to_session_metadata(conn) do
  client_ip  = to_string(:inet_parse.ntoa(conn.remote_ip))
  user_agent = get_req_header(conn, "user-agent")

  metadata =
    conn.private
    |> Map.get(:pow_session_metadata, [])
    |> Keyword.put_new(:first_seen_at, DateTime.utc_now())
    |> Keyword.put(:ip, client_ip)
    |> Keyword.put(:user_agent, user_agent)

  Plug.Conn.put_private(conn, :pow_session_metadata, metadata)
end

The :first_seen_at will only be set if it doesn't already exist in the session metadata, while :ip and :user_agent will be updated each time the session is created.

The method should be called after Pow.Plug.Session.call/2 has been called to ensure that the metadata, if any, has been fetched.

Session expiration

Pow.Store.CredentialsCache will, by default, invalidate any session token 30 minutes after it has been generated. To keep sessions alive the :session_ttl_renewal option is used to determine when a session token becomes stale and a new session ID has to be generated for the user (deleting the previous one in the process).

If :session_ttl_renewal is set to zero, a new session token will be generated on every request.

To change the amount of time a session can be alive, both the TTL for Pow.Store.CredentialsCache and :session_ttl_renewal option should be changed:

plug Pow.Plug.Session, otp_app: :my_app,
  session_ttl_renewal: :timer.minutes(1),
  session_store: {Pow.Store.CredentialsCache, ttl: :timer.minutes(15)}

In the above, a new session token will be generated when a request occurs more than a minute after the current session token was generated. The session is invalidated if there is no request for the next 14 minutes.

There are no absolute session timeout; sessions can be kept alive indefinitely.