Skip to main content

Signed-cookie session extension for the BlackBull ASGI framework.

Project description

blackbull-session

Signed-cookie session extension for the BlackBull ASGI framework.

Early Alpha — API may break between MINOR versions.

PyPI Python License

What this is

A session layer for BlackBull apps. The entire session payload lives in the cookie sent to the client; the server keeps no per-session state. Every value the client could otherwise tamper with is HMAC-signed by a secret the server alone knows, so:

  • a client that modifies the cookie sees the next request treated as a fresh empty session (signature check fails),
  • the server never reads, writes, or replays anything else — no DB hit, no Redis round-trip, no in-process dict to keep consistent across workers,
  • sessions survive worker restarts / horizontal scaling for free (any worker that knows the secret can validate any cookie).

The trade-offs compared with server-side session stores:

  • Cookie size is bounded (browsers cap to ~4 KiB, often less in practice). Sessions storing large objects don't fit.
  • No server-side invalidation: revoking a cookie before it expires requires either rotating the secret (kills every session) or a separate revocation list. Acceptable for many apps; if you need fine-grained revocation, pick a server-side session store instead.

Install

pip install blackbull-session

Use

import os
from blackbull import BlackBull
from blackbull_session import SessionExtension

app = BlackBull()

# Eager — wire on construction.
SessionExtension(app, secret=os.environ['BB_SESSION_SECRET'])

# Or deferred — useful when the app is configured elsewhere.
session = SessionExtension(secret=os.environ['BB_SESSION_SECRET'])
session.init_app(app)

@app.route(path='/')
async def index(scope, receive, send):
    user = scope['session'].get('user')
    scope['session']['hits'] = scope['session'].get('hits', 0) + 1
    await send(...)

After init_app(app), the live extension is reachable at app.extensions['session'].

Configuration

Parameter Default Notes
secret reads BB_SESSION_SECRET Required. HMAC-SHA256 key (bytes or str). Generate with python -c "import secrets; print(secrets.token_urlsafe(32))".
cookie_name 'session' Cookie name carrying the payload.
max_age None When set (seconds), the cookie is signed with a server-side timestamp; older payloads are treated as expired. None means a session cookie that lives only as long as the browser is open.
secure True Secure attribute — cookie sent only over HTTPS.
httponly True HttpOnly attribute — JavaScript can't read the cookie.
samesite 'Lax' Strict / Lax / None (string), or Python None to omit the attribute entirely.
path '/' Cookie Path attribute.

How it fits

blackbull-session is a reference third-party extension that follows the init_app(app) convention — the same convention BlackBull's own in-tree OpenAPIExtension uses. It exists partly to validate that the convention works for external packages without modifications.

License

Apache License 2.0 — © TOKUJI.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

blackbull_session-0.1.0a1.tar.gz (14.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

blackbull_session-0.1.0a1-py3-none-any.whl (12.5 kB view details)

Uploaded Python 3

File details

Details for the file blackbull_session-0.1.0a1.tar.gz.

File metadata

  • Download URL: blackbull_session-0.1.0a1.tar.gz
  • Upload date:
  • Size: 14.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for blackbull_session-0.1.0a1.tar.gz
Algorithm Hash digest
SHA256 5e117986f362597d64524ddbf90f9727c47feb2a773a73ea69d493f30970ad29
MD5 ee4a32ed3630a0c7d31f75ed3dd10f38
BLAKE2b-256 89fc2b14354c24943658a39c36db16a5a54091682efda76ffd257297120de67c

See more details on using hashes here.

File details

Details for the file blackbull_session-0.1.0a1-py3-none-any.whl.

File metadata

File hashes

Hashes for blackbull_session-0.1.0a1-py3-none-any.whl
Algorithm Hash digest
SHA256 0742dc6fdaeae3a6406aba0ff4b13d7e6942715d33bcc8b4e42d0ba1cc0d4329
MD5 7b0f1394acd1ffa2445aafe9c2c62e7e
BLAKE2b-256 2aaa84fecb9a807a59d3ecfdee499d85063e64396330af45709dd95c4478bb65

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page