Session Management Commands
Session management commands for setting up and managing user sessions in your Azu application.
Overview
The Azu CLI provides commands to set up and manage session storage backends. Sessions are essential for maintaining user state across HTTP requests, implementing authentication, and storing temporary user data.
Supported Backends
Azu supports three session storage backends:
Redis
Fast, in-memory key-value store
Production, high-traffic applications
Database
Persistent storage in your application database
Audit requirements, queryable sessions
Memory
In-process memory storage
Development, testing only
Commands
azu session:setup
azu session:setupConfigure and install session management for your application.
Synopsis
azu session:setup [options]Description
Sets up session management by generating configuration files, initializers, and (optionally) database migrations. The command integrates with your existing application and adds the necessary dependencies.
Options
--backend <type>
-b
Session backend: redis, memory, or database
redis
--force
-f
Overwrite existing configuration files
false
Examples
# Setup with Redis backend (recommended)
azu session:setup
# Setup with explicit backend
azu session:setup --backend redis
# Setup with database backend
azu session:setup --backend database
# Setup with memory backend (development only)
azu session:setup --backend memory
# Force overwrite existing configuration
azu session:setup --backend redis --forceGenerated Files
The setup command generates the following files:
All Backends
src/initializers/session.cr # Session configurationDatabase Backend Only
src/db/migrations/TIMESTAMP_create_sessions.cr # Sessions table migrationSetup Steps
After running the command, complete these steps:
Install dependencies:
shards installRun migrations (database backend only):
azu db:migrateSet environment variables:
# Required for all backends export SESSION_SECRET="your-secret-key-here" # For Redis backend export REDIS_URL="redis://localhost:6379" # For Database backend export DATABASE_URL="postgresql://user:password@localhost/myapp"Require the initializer in your application:
# src/app.cr require "./initializers/session"
Backend-Specific Configuration
Redis Backend
Pros:
Fast performance
Automatic expiration
Scales horizontally
No database overhead
Cons:
Requires Redis server
Data is not persistent across Redis restarts (unless configured)
Configuration:
# src/initializers/session.cr
Session.configure do |config|
config.store = RedisStore.new(
url: ENV["REDIS_URL"],
prefix: "myapp:session:",
ttl: 1.hour
)
config.secret = ENV["SESSION_SECRET"]
endDatabase Backend
Pros:
Persistent storage
Queryable sessions
No additional infrastructure
Good for audit trails
Cons:
Slower than Redis
Increases database load
Requires migrations
Configuration:
# src/initializers/session.cr
Session.configure do |config|
config.store = DatabaseStore.new(
table: "sessions",
ttl: 1.hour
)
config.secret = ENV["SESSION_SECRET"]
endMemory Backend
Pros:
No external dependencies
Fast for development
Simple setup
Cons:
Not production-safe
Sessions lost on restart
Not scalable
Single process only
Configuration:
# src/initializers/session.cr
Session.configure do |config|
config.store = MemoryStore.new(ttl: 1.hour)
config.secret = ENV["SESSION_SECRET"]
endazu session:clear
azu session:clearClear all sessions from the configured backend.
Synopsis
azu session:clear [options]Description
Removes all active sessions from storage, effectively logging out all users. Use this command for maintenance, security incidents, or when changing session structure.
Options
--force
-f
Skip confirmation prompt
--backend <type>
-b
Override detected backend
Examples
# Clear sessions (with confirmation)
azu session:clear
# Clear without confirmation
azu session:clear --force
# Clear with explicit backend
azu session:clear --backend redisConfirmation Prompt
Unless --force is specified, you'll be prompted:
Are you sure you want to clear all sessions? This will log out all users. [y/N]:Backend Detection
The command automatically detects the session backend by:
Checking
src/initializers/session.crfor store typeReading
SESSION_BACKENDenvironment variableDefaulting to Redis
Clearing Behavior by Backend
Redis
Removes all keys matching the session prefix:
# Pattern: myapp:session:*
azu session:clearOutput:
Clearing sessions...
Backend: redis
Redis URL: redis://localhost:6379
Clearing Redis sessions with pattern: myapp:session:*
Cleared 142 session(s)
✓ Sessions cleared successfullyDatabase
Executes a DELETE query on the sessions table:
azu session:clear --backend databaseOutput:
Clearing sessions...
Backend: database
Clearing database sessions...
Cleared 89 session(s)
✓ Sessions cleared successfullyMemory
Cannot be cleared remotely:
azu session:clear --backend memoryOutput:
Clearing sessions...
Backend: memory
⚠️ Memory sessions cannot be cleared remotely
Restart the application to clear memory sessionsCommon Workflows
Initial Setup
# 1. Choose and setup backend
azu session:setup --backend redis
# 2. Install dependencies
shards install
# 3. Configure environment
cat >> .env << EOF
SESSION_SECRET=$(openssl rand -hex 32)
REDIS_URL=redis://localhost:6379
EOF
# 4. Update application to require session
echo 'require "./initializers/session"' >> src/app.cr
# 5. Start application
azu serveSwitching Backends
# 1. Setup new backend
azu session:setup --backend database --force
# 2. Clear old sessions
azu session:clear --backend redis --force
# 3. Run migrations (if database backend)
azu db:migrate
# 4. Restart application
pkill -f "azu serve"
azu serveSecurity Incident Response
# Immediately invalidate all sessions
azu session:clear --force
# Rotate session secret
export SESSION_SECRET=$(openssl rand -hex 32)
# Restart application
systemctl restart myappMaintenance
# Before deployment
azu session:clear --force
# After changing session structure
azu session:clear --force
azu serveBest Practices
1. Use Strong Session Secrets
Generate cryptographically secure secrets:
# Generate random secret
openssl rand -hex 32
# Or use uuidgen
uuidgenNever commit secrets to version control:
# .gitignore
.env
config/secrets.yml2. Choose the Right Backend
For Production:
High traffic: Redis
Compliance/audit: Database
Hybrid: Redis with database backup
For Development:
Memory backend for simplicity
3. Set Appropriate TTL
Balance security and user experience:
# Short-lived for sensitive apps (banking)
config.ttl = 15.minutes
# Standard web apps
config.ttl = 1.day
# Remember me functionality
config.ttl = 30.days4. Monitor Session Storage
# Check Redis memory usage
redis-cli info memory
# Check session count
redis-cli keys "myapp:session:*" | wc -l
# Database session count
psql -c "SELECT COUNT(*) FROM sessions;"5. Implement Session Cleanup
For database backend, clean expired sessions:
# src/tasks/cleanup_sessions.cr
task :cleanup_sessions do
DB.exec("DELETE FROM sessions WHERE expires_at < NOW()")
endSchedule with cron:
# crontab -e
0 2 * * * cd /var/www/myapp && crystal run src/tasks/cleanup_sessions.crConfiguration Examples
Redis with Custom Options
Session.configure do |config|
config.store = RedisStore.new(
url: ENV["REDIS_URL"],
prefix: "myapp:session:",
ttl: 2.hours,
pool_size: 10,
pool_timeout: 5.seconds
)
config.secret = ENV["SESSION_SECRET"]
config.cookie_name = "myapp_session"
config.secure = true # HTTPS only
config.http_only = true
config.same_site = :strict
endDatabase with Cleanup
Session.configure do |config|
config.store = DatabaseStore.new(
table: "sessions",
ttl: 1.day
)
config.secret = ENV["SESSION_SECRET"]
# Auto-cleanup expired sessions
config.cleanup_interval = 1.hour
endEnvironment-Specific Configuration
case ENV["AZU_ENV"]?
when "production"
Session.configure do |config|
config.store = RedisStore.new(
url: ENV["REDIS_URL"],
prefix: "#{ENV["APP_NAME"]}:session:",
ttl: 1.day
)
config.secret = ENV["SESSION_SECRET"]
config.secure = true
config.same_site = :strict
end
when "development", "test"
Session.configure do |config|
config.store = MemoryStore.new(ttl: 1.hour)
config.secret = "development-secret"
end
endTroubleshooting
Sessions Not Persisting
Check configuration:
# Verify initializer is loaded
pp Session.configurationVerify backend connectivity:
# Redis
redis-cli ping
# Database
psql $DATABASE_URL -c "SELECT 1;"Check cookie settings:
# Ensure cookies are set correctly
config.secure = false # For development (HTTP)
config.http_only = trueSessions Expiring Too Quickly
Adjust TTL:
config.ttl = 24.hours # Instead of defaultCheck Redis eviction policy:
redis-cli config get maxmemory-policy
# Should be: allkeys-lru or volatile-lruRedis Connection Errors
Verify URL format:
# Correct format
redis://localhost:6379
# With auth
redis://:password@localhost:6379
# With database number
redis://localhost:6379/1Test connection:
redis-cli -u $REDIS_URL pingDatabase Migration Issues
Ensure migration ran:
azu db:statusVerify table exists:
psql $DATABASE_URL -c "\dt sessions"Re-run migration:
azu db:rollback --steps 1
azu db:migrateSecurity Considerations
1. Session Hijacking Prevention
Session.configure do |config|
config.rotate_on_login = true
config.regenerate_id = true
config.secure = true # HTTPS only
config.same_site = :strict
end2. Session Fixation Protection
Regenerate session ID after authentication:
def login(user)
session.regenerate_id
session[:user_id] = user.id
end3. Secure Cookie Flags
config.secure = true # HTTPS only
config.http_only = true # No JavaScript access
config.same_site = :strict # CSRF protection4. Session Secret Rotation
# Generate new secret
NEW_SECRET=$(openssl rand -hex 32)
# Update environment
export SESSION_SECRET=$NEW_SECRET
# Clear old sessions
azu session:clear --force
# Restart application
systemctl restart myappEnvironment Variables
SESSION_SECRET
Encryption key for session data
Yes
SESSION_BACKEND
Backend type (redis, database, memory)
No
REDIS_URL
Redis connection URL
Yes (Redis backend)
DATABASE_URL
Database connection URL
Yes (Database backend)
Related Commands
azu generate auth- Generate authentication systemazu db:migrate- Run database migrationsazu serve- Development server
See Also
Last updated