Stateless session management using signed cookies
Project description
dbbasic-sessions
Stateless session management using signed cookies for Python web applications.
Philosophy
"Compute, don't store. Verify, don't persist."
Sessions are temporary authentication state. Following Unix and CGI principles: don't store temporary state, compute it.
Features
- Stateless: No server storage for sessions
- Simple: 15 lines of core code
- Fast: Pure computation, no I/O
- Secure: HMAC-SHA256 signed tokens
- CGI-Perfect: Each request independent, no shared state
- Zero Dependencies: Python stdlib only
Installation
pip install dbbasic-sessions
Quick Start
from dbbasic_sessions import create_session, get_session, destroy_session
# Login - create session
token = create_session(user_id=42)
response.set_cookie('session', token, httponly=True, secure=True)
# Verify session
user_id = get_session(request.cookies.get('session'))
if user_id:
user = User.get(user_id) # Get from database
return render('dashboard', user=user)
# Logout
destroy_session(token) # No-op server-side
response.delete_cookie('session')
API
create_session(user_id, ttl=2592000)
Create a signed session token.
- user_id: User identifier (str or int)
- ttl: Time-to-live in seconds (default: 30 days)
- Returns: Signed token string
get_session(token)
Verify token and extract user ID.
- token: Session token from cookie
- Returns: User ID string, or None if invalid/expired
destroy_session(token)
Logout (no-op server-side, client deletes cookie).
- token: Session token (unused)
- Returns: None
Configuration
Set a secret key in your environment:
export SECRET_KEY="your-secret-key-here"
Generate a secure secret key:
import secrets
print(secrets.token_hex(32))
Security
- Uses HMAC-SHA256 for cryptographic signing
- Timing-safe signature comparison
- Supports HTTPS-only, HttpOnly, and SameSite cookie flags
- Short TTL recommended (1-30 days)
Performance
- Create session: 0.01ms
- Verify session: 0.01ms
- Memory usage: 0 bytes (no server storage)
- Scales: Infinitely (stateless)
Why Signed Cookies?
- Unix philosophy: Don't store temporary state
- CGI philosophy: Stateless processes
- Industry standard: Flask, Rails default
- Simple: 15 lines vs 20-30 with storage
- Fast: No I/O, pure computation
- Scales: Infinite horizontal scaling
License
MIT License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dbbasic_sessions-3.0.0.tar.gz.
File metadata
- Download URL: dbbasic_sessions-3.0.0.tar.gz
- Upload date:
- Size: 9.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
50aa1f9195c1003c7c4faf9711a6c3cfea00533c7e2da9c2a63e480f91114e16
|
|
| MD5 |
ad50472c8e7b7d667aec6fb74d9c7b8b
|
|
| BLAKE2b-256 |
638bc34ef0b21ea39b1352dc2887c036d8f6210a86e24a6adcf508cdfd0eb201
|
File details
Details for the file dbbasic_sessions-3.0.0-py3-none-any.whl.
File metadata
- Download URL: dbbasic_sessions-3.0.0-py3-none-any.whl
- Upload date:
- Size: 11.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fffa475f8333c6d9a4dbaf1baa8b906b2b48fc8d5ab3a5064a9d3924a5fc5bf4
|
|
| MD5 |
c86e374f5b9cc192d4d11d789c037d20
|
|
| BLAKE2b-256 |
a4518ba25be1bc3b83cb95fc0801592108537236ec87bc22b5e377bec196ea81
|
