Clearing and/or revoking session using bun:sqlite database

[DistantMe]

I've just started using hono_sessions and wondering if there is any documentation hidden away somewhere aside from what is in the readme.md file?

I am specifically having an issue where my session data is not being cleared from my bun:sqlite database automatically, even after sessions expire. Is this by design, or should the data be automatically purged?

If we have to manage this manually, are there any functions we can utilize to clear expired sessions (and revoke sessions if required)?

[jcs224]

Old sessions aren't automatically purged, but the expiration is attached to the _expire property of the session JSON object stored in the database. With this, you could write a script or cron job to loop through the sessions table and delete sessions that haven't been used for a while.

If the user tries to access an expired session, it will delete the old session and create a fresh new one. However, if the cookie has been set with a Max-Age or Expires attribute that is ahead of the session expireInSeconds property, the old session will become stale and will have to be cleaned up such as with the method above.

At some point, I might write some docs on how to do this with various databases. Or, create some database-agnostic cleanup method.

[DistantMe]

Thanks for the detailed explanation @jcs224!

I just did some further testing, and removing my maxAge definition from the cookies section does indeed purge the old session from the sqlite database when the user visits with a stale/expired session. This should be good enough for now, and I can tinker a bit if my sessions db grows too large over time.

[ishantoz]

Hey, is there currently any Redis driver available for the Cookie Store in Hono Sessions? If not, are there any plans to support it in the future?

Thanks!

[jcs224]

Hi @shantoislam6,

There is a community Redis adapter here, using ioredis:
https://github.com/FaureAlexis/hono-sessions-redis

In the future, I'm probably going to encourage the community to create their own storage adapters. It's pretty straightforward, but I need to create some documentation on it.

[magiconair]

I think storing the expiration time in or only in the payload has some drawbacks. It would be helpful to clean out the stale sessions from an SQL database periodically which is easy if the expiration date would be part of the table. I'd still limit the number of sessions to be removed in a single purge by a certain number to avoid long running queries.

The second issue is that SQL databases need to create a table. I am trying to implement a Postgres session store and can't just call db.query in the constructor like the Bun.sqlite driver since this returns a Promise that might fail.

I suggest to change the Store definition as follows and add the maxSessionsToDeleteOnPurge as an option. -1 could then mean delete them all and call the purgeStaleSessions function for every request.

export default interface Store {
    initStore(): Promise<void>
    purgeStaleSessions(maxSessions: number): Promise<void>
    getSessionById(sessionId?: string): SessionData | null | undefined | Promise<SessionData | null | undefined>;
    createSession(sessionId: string, initialData: SessionData, maxAgeInSeconds: number): Promise<void> | void;
    persistSessionData(sessionId: string, sessionData: SessionData, maxAgeInSeconds: number): Promise<void> | void;
    deleteSession(sessionId: string): Promise<void> | void;
}

I'm happy to provide the postgres driver once it is working but I need to have an option to clear out the DB from stale sessions. Otherwise cleaning it will be inefficient.

I am aware that Postgres has a jsonb type that allows to query into the payload but I think that's not a good solution. I can make it work though.

[magiconair]

Update: I can probably hide the purging in the store implementation.

[jcs224]

I think this is a good idea. I want to keep the storage layer as simple as possible so it can work with pretty much any key-value store, not just SQL databases.