serversession-frontend-snap-1.0.1: Snap bindings for serversession.

Safe HaskellNone



Internal module exposing the guts of the package. Use at your own risk. No API stability guarantees apply.



simpleServerSessionManager :: (Storage sto, SessionData sto ~ SessionMap) => IO sto -> (State sto -> State sto) -> SnapletInit b SessionManager Source #

Simplified version of initServerSessionManager, sufficient for most needs.

class IsSessionData sess => SnapSession sess where Source #

Class for data types that implement the operations Snap expects sessions to support.


ssInsert :: Text -> Text -> sess -> sess Source #

ssLookup :: Text -> sess -> Maybe Text Source #

ssDelete :: Text -> sess -> sess Source #

ssToList :: sess -> [(Text, Text)] Source #

ssInsertCsrf :: Text -> sess -> sess Source #

ssLookupCsrf :: sess -> Maybe Text Source #

ssForceInvalidate :: ForceInvalidate -> sess -> sess Source #

data ServerSessionManager sto Source #

A ISessionManager using server-side sessions.




currentSessionMap :: String -> ServerSessionManager sto -> SessionData sto Source #

Get the current SessionData from currentSession and unwrap its Just. If it's Nothing, error is called. We expect load to be called before any other ISessionManager method.

modifyCurrentSession :: (SessionData sto -> SessionData sto) -> ServerSessionManager sto -> ServerSessionManager sto Source #

Modify the current session in any way.

createCookie :: State sto -> ByteString -> Session sess -> Cookie Source #

Create a cookie for the given session.

The cookie expiration is set via nextExpires. Note that this is just an optimization, as the expiration is checked on the server-side as well.

csrfKey :: Text Source #

The CSRF key is kept as a session variable like any other under this key.

forceInvalidate :: ForceInvalidate -> Handler b SessionManager () Source #

Invalidate the current session ID (and possibly more, check ForceInvalidate). This is useful to avoid session fixation attacks (cf.

Note that the invalidate does not occur when the call to this action is made! The sessions will be invalidated when the session is commited. This means that later calls to forceInvalidate on the same handler will override earlier calls.

This function works by setting a session variable that is checked when saving the session. The session variable set by this function is then discarded and is not persisted across requests.