SessionHeaderPlug

SessionHeaderPlug is a plug to handle session headers and session stores.

Plug.Session stores the session data (whether a session ID or the session itself) in a cookie. While this works great for server-rendered sites and same origin clients, it fails for cross-origin clients using modern browser defaults.

You could include the session data in the bodies of your requests and responses, but this would require significant API design and would either require every response to include the session data or logic for every response to determine whether or not to include session data.

SessionHeaderPlug operates just like Plug.Session, only it transmits and receives the session data through a custom header instead of a cookie.

Installation

Add session_header_plug and a session store to your list of dependencies in mix.exs:

defp deps do
  [
    {:session_header_plug, "~> 0.1.1"},
    {:session_server_store, "~> 0.1.0"},
  ]
end

Usage

Server

1. Plug it in.

plug SessionHeaderPlug,
  store: SessionServerStore,
  key: "session-id",
  timeout: 86400,
  idle_timeout: :infinity

plug :fetch_session

2. Use the session functions on Plug.Conn.

conn
|> put_session(:user_id, "admin@somedomain.com")
|> put_session(:admin?, true)
|> json(%{foo: "bar"})

Client

const headers = { 'session-id': localStorage.getItem('sid') }

fetch('https://somedomain.com/api/', { headers: headers })
  .then((response) => {
    localStorage.setItem('sid', response.headers.get('session-id'))
  })