serversession-frontend-wai-1.0: wai-session bindings for serversession.

Safe HaskellNone



Internal module exposing the guts of the package. Use at your own risk. No API stability guarantees apply.



withServerSession Source


:: (Functor m, MonadIO m, MonadIO n, Storage sto, SessionData sto ~ SessionMap) 
=> Key (Session m Text ByteString)

Vault key to use when passing the session through.

-> (State sto -> State sto)

Set any options on the serversession state.

-> sto

Storage backend.

-> n Middleware 

Construct the wai-session middleware using the given storage backend and options. This is a convenient function that uses withSession, createState, sessionStore, getCookieName and createCookieTemplate.

sessionStore Source


:: (Functor m, MonadIO m, Storage sto, KeyValue (SessionData sto)) 
=> State sto

serversession state, incl. storage backend.

-> SessionStore m (Key (SessionData sto)) (Value (SessionData sto))

wai-session session store.

Construct the wai-session session store using the given state. Note that keys and values types are fixed.

As wai-session always requires a value to be provided, we return an empty ByteString when the empty session was not saved.

mkSession :: (Functor m, MonadIO m, KeyValue sess) => IORef sess -> Session m (Key sess) (Value sess) Source

Build a Session from an IORef containing the session data.

class IsSessionData sess => KeyValue sess where Source

Class for session data types that can be used as key-value stores.

Associated Types

type Key sess :: * Source

type Value sess :: * Source


kvLookup :: Key sess -> sess -> Maybe (Value sess) Source

kvInsert :: Key sess -> Value sess -> sess -> sess Source


createCookieTemplate :: State sto -> SetCookie Source

Create a cookie template given a state.

Since we don't have access to the Session, we can't fill the Expires field. Besides, as the template is constant, eventually the Expires field would become outdated. This is a limitation of wai-session's interface, not a serversession limitation. Other frontends support the Expires field.

Instead, we fill only the Max-age field. It works fine for modern browsers, but many don't support it and will treat the cookie as non-persistent (notably IE 6, 7 and 8).

calculateMaxAge :: State sto -> Maybe DiffTime Source

Calculate the Max-age of a cookie template for the given state.

  • If the state asks for non-persistent sessions, the result is Nothing.
  • If no timeout is defined, the result is 10 years.
  • Otherwise, the max age is set as the maximum timeout.

forceInvalidate :: Session m Text ByteString -> ForceInvalidate -> m () Source

Invalidate the current session ID (and possibly more, check ForceInvalidate). This is useful to avoid session fixation attacks (cf.