Sessions

Sessions in Ring work a little differently than you might expect, because Ring attempts to be functional when possible.

Session data is passed via the request map on the :session key. The following example prints out the current username from the session.

(use 'ring.middleware.session
     'ring.util.response)

(defn handler [{session :session}]
  (response (str "Hello " (:username session)))

(def app
  (wrap-session handler))

To change the session data, you can add a :session key to the response that contains the updated session data. The next example counts the number of times the current session has accessed the page.

(defn handler [{session :session}]
  (let [count   (:count session 0)
        session (assoc session :count (inc count))]
    (-> (response (str "You accessed this page " count " times."))
        (assoc :session session))))

Session Stores

Session data is saved in session stores. There are two stores included in Ring:

• ring.middleware.session.memory/memory-store - stores sessions in memory
• ring.middleware.session.cookie/cookie-store - stores sessions encrypted in a cookie

By default, Ring stores session data in memory, but this can be overridden with the :store option:

(use 'ring.middleware.session.cookie)

(def app
  (wrap-session your-handler {:store (cookie-store)})

You can write your own session store by implementing the ring.middleware.session.store/SessionStore protocol:

(use 'ring.middleware.session.store)

(deftype CustomStore []
  SessionStore
  (read-session [_ key]
    (read-data key))
  (write-session [_ key data]
    (let [key (or key (generate-new-random-key))]
      (save-data key data)
      key))
  (delete-session [_ key]
    (delete-data key)
    nil))

Note that when writing the session, the key will be nil if this is a new session. The session store should expect this, and generate a new random key. It is very important that this key cannot be guessed, otherwise malicious users could access other people's session data.