# `Sigra.Plug.FetchSession`
[🔗](https://github.com/sztheory/sigra/blob/v1.20.0/lib/sigra/plug/fetch_session.ex#L1)

Fetches the current user session, enforces timeouts, and assigns `current_scope`.

This plug reads the session token from the Plug session (key: `:user_token`),
fetches the session from the configured session store, validates idle and
absolute timeouts, throttles activity updates, and handles remember-me
cookie rehydration.

If no valid session is found, `current_scope` is assigned as `nil`.

The session struct is stored in `conn.private[:sigra_session]` for downstream
plugs (e.g., `RequireSudo`).

## Cookie Security Defaults

Sets `HttpOnly: true`, `SameSite: Lax`, `Secure: true` by default.
Override `:secure` to `false` in development via the `:cookie_opts` option.

## Options

  * `:config` - A `%Sigra.Config{}` struct (contains session store, timeouts, etc.).
  * `:scope_module` - Module used to construct the scope from the user.
    Must export `new/1`.
  * `:cookie_opts` - Override default cookie security options.
  * `:remember_me_cookie` - Name of the remember-me cookie. Default: `nil` (disabled).

## Example

    plug Sigra.Plug.FetchSession,
      config: @sigra_config,
      scope_module: MyApp.Auth.Scope

# `call`
*since 0.4.0* 

Fetch the current user session, enforce timeouts, and assign `current_scope`.

# `init`
*since 0.4.0* 

Initialize the plug with the given options.

Merges default cookie security options with any user-provided overrides.

---

*Consult [api-reference.md](api-reference.md) for complete listing*