arangodb/Documentation/Books/Users/FoxxBundledApps/Sessions.mdpp

!CHAPTER The Sessions App

The sessions app provides a session storage JavaScript API that can be used in other Foxx apps.

!SECTION Configuration

This app has the following configuration options:

* *timeToLive* (optional): number of milliseconds until the session expires or *0* to disable session expiry. Default: *604800000* (one week).
* *ttlType* (optional): attribute against which the *timeToLive* is enforced. Valid options: *lastAccess*, *lastUpdate*, *created*. Default: *"created"*.
* *sidTimestamp* (optional): whether to append a timestamp to the random part of generated session IDs. Default: *false*.
* *sidLength* (optional): number of random characters to use for new session IDs. Default *20*.

!SECTION JavaScript API: *sessionStorage*

This app exposes a session storage via a JavaScript API named *sessionStorage*.

@EXAMPLES

```js
var sessionStorage = Foxx.requireApp('/_system/sessions').sessionStorage;
```

!SUBSECTION Exceptions

!SUBSUBSECTION Session Not Found

Indicates a session could not be found in the database.

`new sessionStorage.errors.SessionNotFound(sessionId)`

Thrown by the session storage's *delete* and *get* methods if passed a session ID that does not exist in the database.

@EXAMPLES

```js
try {
    sessionStorage.get(invalidSessionId);
} catch(err) {
    assertTrue(err instanceof sessionStorage.errors.SessionNotFound);
}
```

!SUBSUBSECTION Session Expired

Indicates the session exists in the database but has expired.

`new sessionStorage.errors.SessionExpired(sessionId)`

Thrown by the session storage's *get* method if passed a session ID for a session that has expired. See also this app's configuration options.

@EXAMPLES

```js
try {
    sessionStorage.get(expiredSessionId);
} catch(err) {
    assertTrue(err instanceof sessionStorage.errors.SessionExpired);
    assertTrue(err instanceof sessionStorage.errors.SessionNotFound);
}
```

!SUBSECTION The session object

Session objects are instances of a Foxx model with the following attributes:

* *sessionData*: volatile session data. This can be an arbitrary object that will be stored with the session in the database. If you want to store session-specific (rather than user-specific) data in the database, this is the right place for that.
* *uid*: the session's active user's *_key* or *undefined* (no active user).
* *userData*: the session's active user's *userData* attribute or an empty object.
* *created*: timestamp the session was created at.
* *lastAccess*: timestamp of the last time the session was fetched from the database.
* *lastUpdate*: timestamp of the last time the session was written to the database.

!SUBSECTION Create a session

Creates and saves a new instance of the session model.

`sessionStorage.create(sessionData)`

*Parameter*

* *sessionData* (optional): an arbitrary object that will be stored as the session's *sessionData* attribute when the model is saved to the database.

@EXAMPLES

```js
var session = sessionStorage.create(sessionData);
assertEqual(session.get('sessionData'), sessionData);
```

!SUBSECTION Fetch an existing session

Fetch a session from the database for a given ID.

`sessionStorage.get(sessionId)`

Attempts to load the session with the given session ID from the database. If the session does not exist, a *SessionNotFound* exception will be thrown. If the session does exist, but has already expired, a *SessionExpired* exception will be thrown instead.

*Parameter*

* *sessionId*: a session *_key*.

@EXAMPLES

```js
var session = sessionStorage.get(sessionId);
```

!SUBSECTION Delete a session

There are two ways to delete a session from the database:

* calling the session storage's *delete* method with a session ID directly
* telling a session to delete itself

!SUBSUBSECTION Delete a session by its ID

Delete a session with a given ID.

`sessionStorage.delete(sessionId)`

Attempts to delete the session with the given session ID from the database. If the session does not exist, a *SessionNotFound* exception will be thrown. The method always returns *null*.

*Parameter*

* *sessionId*: a session *_key*.

@EXAMPLES

```js
sessionStorage.delete(sessionId);
```

!SUBSUBSECTION Tell a session to delete itself

Delete a session from the database.

`session.delete()`

Attempts to delete the session from the database.

Returns *true* if the session was deleted successfully.

Returns *false* if the session already didn't exist.

@EXAMPLES

```js
session.delete();
```

!SUBSECTION Save a session

Save a session to the database.

`session.save()`

If you made any changes to the session and are not using the sessions app via Foxx Authentication, you must call this method to commit the changes to the database.

@EXAMPLES

```js
session.setUser(user);
session.save();
```

!SUBSECTION Set a session's active user

Set the active user of a session.

`session.setUser(user)`

Expects a Foxx model with a *userData* attribute and sets the session's *uid* attribute to the model's *_key* and the session's *userData* attribute to the model's *userData* attribute.

*Parameter*

* *user*: instance of a Foxx model with a *`userData* attribute.

@EXAMPLES

```js
session.setUser(user);
assertEqual(session.get('uid'), user.get('_key'));
assertEqual(session.get('userData'), user.get('userData'));
```

!SUBSECTION Determine whether a session has expired

Get a session's expiry state.

`session.hasExpired()`

Returns *true* if the session's expiry time lies in the past, *false* otherwise.

!SUBSECTION Determine when a session will expire

Get a session's expiry time.

`session.getExpiry()`

Returns an integer representing the UTC timestamp in milliseconds at which the session will expire, or *Infinity* (indicating the session will never expire) if session expiry is disabled.

!SUBSECTION Determine the TTL of a session

Get a session's time to live.

`session.getTTL()`

Returns an integer representing number of milliseconds until the session will expire, or *Infinity* (indicating the session will never expire) if session expiry is disabled.