Muffin-Session β Cookie-based HTTP sessions for the Muffin framework.
Muffin-Session provides a simple and flexible way to manage secure session data via cookies. It integrates seamlessly into Muffin apps with support for JWT, Fernet, and plain base64-encoded sessions.
- πͺ Cookie-based session management
- π Supports multiple session backends: - Base64 (default) - JWT-signed sessions - Fernet-encrypted sessions
- π§ User loader & login utilities
- 𧩠Optional auto-managed middleware integration
- Python β₯ 3.10
- Muffin β₯ 1.0
- Optional: cryptography for Fernet sessions
Install via pip:
pip install muffin-sessionInstall with Fernet encryption support:
pip install muffin-session[fernet]from muffin import Application, ResponseHTML
from muffin_session import Plugin as Session
app = Application('example')
session = Session(app, secret_key='REALLY_SECRET_KEY')
@app.route('/update')
async def update(request):
ses = session.load_from_request(request)
ses['var'] = 'value'
response = ResponseHTML('Session updated.')
session.save_to_response(ses, response)
return response
@app.route('/load')
async def load(request):
ses = session.load_from_request(request)
return ses.get('var')from muffin import Application
from muffin_session import Plugin as Session
app = Application('example')
session = Session()
session = Session(app, secret_key='REALLY_SECRET_KEY', auto_manage=True)
@app.route('/update')
async def update(request):
request.session['var'] = 'value'
return 'Session updated.'
@app.route('/load')
async def load(request):
return request.session.get('var')You can pass options via session.setup(...) or set them in your application config using the SESSION_ prefix:
SESSION_SECRET_KEY = 'REALLY_SECRET_KEY'
SESSION_COOKIE_NAME = 'muffin_session'| Option | Default | Description |
| session_type | "jwt" |
Backend type: "base64", "jwt", or "fernet" |
| secret_key | "InsecureSecret" |
Secret used to sign or encrypt sessions |
| auto_manage | False |
If enabled, session is auto-loaded into request.session |
| cookie_name | "session" |
Name of the session cookie |
| cookie_params | see below | Cookie options: path, max-age, samesite, secure |
| default_user_checker | lambda x: True |
Function used to verify authenticated user |
| login_url | "/login" |
Redirect URL or callable for unauthenticated users |
from muffin import Application
from muffin_session import Plugin as Session
app = Application('example')
session = Session(app, secret_key='REALLY_SECRET_KEY', auto_manage=True)
@session.user_loader
async def load_user(user_id):
return await db.get_user_by_id(user_id)
@app.route('/session')
async def get_session(request):
return dict(request.session)
@app.route('/admin')
@session.user_pass(lambda user: user.is_admin)
async def admin(request):
return 'Top secret admin page.'
@app.route('/login')
async def login(request):
user = await authenticate(request)
session.login(request, user.id)
return 'Logged in.'
@app.route('/logout')
async def logout(request):
session.logout(request)
return 'Logged out.'
@app.route('/clear')
async def clear(request):
request.session.clear()
return 'Session cleared.'Found a bug or want to propose a feature? Please use the issue tracker at: https://github.com/klen/muffin-session/issues
Want to contribute? PRs are welcome! Development happens at: https://github.com/klen/muffin-session
This project is licensed under the MIT license. See MIT license for details.
- Kirill Klenov (klen) β https://github.com/klen