[{"data":1,"prerenderedAt":177},["ShallowReactive",2],{"blog-blueprints/redis-sessions":3},{"id":4,"title":5,"body":6,"category":157,"date":158,"dateModified":158,"description":159,"draft":160,"extension":161,"faq":162,"featured":160,"headerVariant":163,"image":162,"keywords":162,"meta":164,"navigation":165,"ogDescription":166,"ogTitle":162,"path":167,"readTime":168,"schemaOrg":169,"schemaType":170,"seo":171,"sitemap":172,"stem":173,"tags":174,"twitterCard":175,"__hash__":176},"blog/blog/blueprints/redis-sessions.md","Redis Session Security Guide",{"type":7,"value":8,"toc":146},"minimark",[9,20,24,30,35,50,54,63,67,76,85,89,94,97,100,103,106,109,120,134],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure Redis sessions,"," you need to: (1) use TLS connections to Redis in production, (2) regenerate session IDs after login to prevent session fixation attacks, (3) set cookies as httpOnly and secure with proper sameSite settings, (4) configure appropriate session TTLs, and (5) use a strong session secret (32+ characters). This blueprint ensures session management follows security best practices for server-side storage.",[21,22],"blueprint-meta",{"time":23},"1-2 hours",[25,26,27],"tldr",{},[13,28,29],{},"Redis sessions are faster than database sessions but require secure configuration. Use TLS connections, generate cryptographically secure session IDs, implement session rotation on authentication state changes, and set proper TTLs to limit session lifetime.",[31,32,34],"h2",{"id":33},"express-session-with-redis-redis","Express Session with Redis Redis",[36,37,39],"code-block",{"label":38},"server/session.ts",[40,41,46],"pre",{"className":42,"code":44,"language":45},[43],"language-text","import session from 'express-session'\nimport RedisStore from 'connect-redis'\nimport { createClient } from 'redis'\n\n// Secure Redis connection\nconst redisClient = createClient({\n  url: process.env.REDIS_URL,\n  socket: {\n    tls: process.env.NODE_ENV === 'production',\n    rejectUnauthorized: true,\n  },\n})\n\nawait redisClient.connect()\n\nexport const sessionMiddleware = session({\n  store: new RedisStore({ client: redisClient }),\n  secret: process.env.SESSION_SECRET!,  // 32+ characters\n  name: 'sessionId',  // Don't use default 'connect.sid'\n  resave: false,\n  saveUninitialized: false,\n  cookie: {\n    secure: process.env.NODE_ENV === 'production',\n    httpOnly: true,\n    sameSite: 'lax',\n    maxAge: 1000 * 60 * 60 * 24,  // 24 hours\n  },\n})\n","text",[47,48,44],"code",{"__ignoreMap":49},"",[31,51,53],{"id":52},"session-rotation","Session Rotation",[36,55,57],{"label":56},"server/auth.ts",[40,58,61],{"className":59,"code":60,"language":45},[43],"import { Request, Response, NextFunction } from 'express'\n\nexport async function login(req: Request, res: Response) {\n  // Verify credentials...\n  const user = await verifyCredentials(req.body)\n\n  if (!user) {\n    return res.status(401).json({ error: 'Invalid credentials' })\n  }\n\n  // CRITICAL: Regenerate session ID after login\n  // Prevents session fixation attacks\n  req.session.regenerate((err) => {\n    if (err) {\n      return res.status(500).json({ error: 'Session error' })\n    }\n\n    req.session.userId = user.id\n    req.session.loginTime = Date.now()\n\n    res.json({ success: true })\n  })\n}\n\nexport async function logout(req: Request, res: Response) {\n  req.session.destroy((err) => {\n    if (err) {\n      return res.status(500).json({ error: 'Logout failed' })\n    }\n    res.clearCookie('sessionId')\n    res.json({ success: true })\n  })\n}\n",[47,62,60],{"__ignoreMap":49},[31,64,66],{"id":65},"session-validation-middleware","Session Validation Middleware",[36,68,70],{"label":69},"server/middleware/auth.ts",[40,71,74],{"className":72,"code":73,"language":45},[43],"export function requireAuth(req: Request, res: Response, next: NextFunction) {\n  if (!req.session.userId) {\n    return res.status(401).json({ error: 'Not authenticated' })\n  }\n\n  // Optional: Check session age for sensitive operations\n  const sessionAge = Date.now() - (req.session.loginTime || 0)\n  const maxAge = 1000 * 60 * 30  // 30 minutes for sensitive ops\n\n  if (req.path.includes('/sensitive') && sessionAge > maxAge) {\n    return res.status(401).json({ error: 'Please re-authenticate' })\n  }\n\n  next()\n}\n\n// For very sensitive operations, require re-authentication\nexport function requireRecentAuth(maxAgeMs = 1000 * 60 * 5) {\n  return (req: Request, res: Response, next: NextFunction) => {\n    const sessionAge = Date.now() - (req.session.loginTime || 0)\n\n    if (sessionAge > maxAgeMs) {\n      return res.status(401).json({\n        error: 'Please re-authenticate for this operation',\n        requireReauth: true,\n      })\n    }\n\n    next()\n  }\n}\n",[47,75,73],{"__ignoreMap":49},[77,78,79],"warning-box",{},[13,80,81,84],{},[16,82,83],{},"Always regenerate session ID after login."," Session fixation attacks trick users into authenticating with attacker-controlled session IDs. Regenerating prevents this.",[31,86,88],{"id":87},"security-checklist","Security Checklist",[90,91,93],"h4",{"id":92},"pre-launch-checklist","Pre-Launch Checklist",[13,95,96],{},"Redis connection uses TLS",[13,98,99],{},"Session ID regenerated on login",[13,101,102],{},"Cookies are httpOnly and secure",[13,104,105],{},"Session TTL configured",[13,107,108],{},"Session secret is strong (32+ chars)",[110,111,112,117],"stack-comparison",{},[113,114,116],"h3",{"id":115},"related-integration-stacks","Related Integration Stacks",[13,118,119],{},"NextAuth + Prisma Database Sessions\nClerk Managed Sessions\nOAuth Token Management",[121,122,123,129],"related-articles",{},[124,125],"related-card",{"description":126,"href":127,"title":128},"Database sessions","/blog/blueprints/nextauth-prisma","NextAuth + Prisma",[124,130],{"description":131,"href":132,"title":133},"Deep dive","/blog/guides/auth0","Authentication Guide",[135,136,139,143],"cta-box",{"href":137,"label":138},"/","Start Free Scan",[31,140,142],{"id":141},"check-your-session-security","Check Your Session Security",[13,144,145],{},"Scan for session vulnerabilities.",{"title":49,"searchDepth":147,"depth":147,"links":148},2,[149,150,151,152,156],{"id":33,"depth":147,"text":34},{"id":52,"depth":147,"text":53},{"id":65,"depth":147,"text":66},{"id":87,"depth":147,"text":88,"children":153},[154],{"id":115,"depth":155,"text":116},3,{"id":141,"depth":147,"text":142},"blueprints","2026-02-11","Security guide for Redis session management. Configure secure connections, implement session rotation, prevent fixation attacks, and manage session data safely.",false,"md",null,"purple",{},true,"Secure Redis session management patterns.","/blog/blueprints/redis-sessions","10 min read","[object Object]","Article",{"title":5,"description":159},{"loc":167},"blog/blueprints/redis-sessions",[],"summary_large_image","Kocc4DOFwcpxHqIb1U8yj10vI2ESy3oA2ChhCeb_NQc",1775843932035]