Managing sessions ================= MicroPie includes simple session management built on top of cookies. A session stores data associated with a client across multiple requests. Sessions are useful for keeping track of login state, counters and temporary information. Enabling sessions ----------------- By default, MicroPie uses an in‑memory session back‑end implemented by :class:`~micropie.InMemorySessionBackend`. Each session is identified by a ``session_id`` cookie. When the client makes a request, the cookie is read and the session data is loaded from the back‑end. When you modify the session dictionary, MicroPie writes the updated session back at the end of the request and issues a ``Set‑Cookie`` header if needed. In order to use sessions, simply read and write the :attr:`~micropie.Request.session` dictionary in your handler. The following example counts the number of visits for each client: .. code-block:: python from micropie import App class MyApp(App): async def index(self): if "visits" not in self.request.session: self.request.session["visits"] = 1 else: self.request.session["visits"] += 1 return f"You have visited {self.request.session['visits']} times." app = MyApp() Custom session back‑ends ------------------------ The in‑memory back‑end stores all sessions in a Python dictionary. It is suitable for development but will lose data when the process terminates and cannot be shared across worker processes. To persist sessions in a database or cache, implement the abstract :class:`~micropie.SessionBackend` interface: .. code-block:: python from micropie import SessionBackend class DatabaseSessionBackend(SessionBackend): async def load(self, session_id: str) -> dict: # fetch the session from your database or cache data = await get_session_from_db(session_id) return data or {} async def save(self, session_id: str, data: dict, timeout: int) -> None: # store the session with an expiration timeout await save_session_to_db(session_id, data, timeout) Assign your back‑end when constructing your application: .. code-block:: python backend = DatabaseSessionBackend() app = MyApp(session_backend=backend) Expiring sessions ----------------- The global constant :data:`micropie.SESSION_TIMEOUT` controls how long a session remains valid (in seconds). The default is eight hours. Back‑ends may choose to enforce this timeout in whatever manner makes sense for their storage layer. Security considerations ----------------------- Sessions are sent to the client as cookies and should be treated as untrusted input. Avoid storing sensitive information directly in the session. If you implement your own back‑end, ensure that session identifiers are random, unique and that the cookie includes the ``HttpOnly``, ``Secure`` and ``SameSite=Lax`` directives. The in‑memory back‑end provided by MicroPie already issues these flags.