Stats
Actions
Tags
From session-management
Implements secure session management using JWT tokens, Redis storage, refresh flows, and secure cookies in Node.js/Express apps. Use for authentication systems, user sessions, and logout.
How this skill is triggered — by the user, by Claude, or both
Slash command
/session-management:session-managementThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Implement secure session management with proper token handling and storage.
Implement secure session management with proper token handling and storage.
const jwt = require('jsonwebtoken');
function generateTokens(user) {
const accessToken = jwt.sign(
{ userId: user.id, role: user.role, type: 'access' },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
const refreshToken = jwt.sign(
{ userId: user.id, type: 'refresh' },
process.env.REFRESH_SECRET,
{ expiresIn: '7d' }
);
return { accessToken, refreshToken };
}
const redis = require('redis');
const client = redis.createClient();
class SessionStore {
async create(userId, sessionData) {
const sessionId = crypto.randomUUID();
await client.hSet(`sessions:${userId}`, sessionId, JSON.stringify({
...sessionData,
createdAt: Date.now()
}));
await client.expire(`sessions:${userId}`, 86400 * 7);
return sessionId;
}
async invalidateAll(userId) {
await client.del(`sessions:${userId}`);
}
}
app.use(session({
name: 'session',
secret: process.env.SESSION_SECRET,
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge: 3600000, // 1 hour
domain: '.example.com'
},
resave: false,
saveUninitialized: false
}));
app.post('/auth/refresh', async (req, res) => {
const { refreshToken } = req.cookies;
try {
const payload = jwt.verify(refreshToken, process.env.REFRESH_SECRET);
if (payload.type !== 'refresh') throw new Error('Invalid token type');
const user = await User.findById(payload.userId);
const tokens = generateTokens(user);
res.cookie('accessToken', tokens.accessToken, cookieOptions);
res.json({ success: true });
} catch (err) {
res.status(401).json({ error: 'Invalid refresh token' });
}
});
npx claudepluginhub secondsky/claude-skills --plugin session-managementImplement secure session handling with proper token generation, storage, expiry, CSRF protection, and session invalidation.
Implements secure session management with cryptographically random tokens, HttpOnly/Secure/SameSite cookies, and timeout enforcement to prevent hijacking and fixation.
Guides session token generation, cookie security configuration, timeout policies, and revocation to prevent hijacking and fixation attacks.