Amazon DynamoDB Session Store

This gem handles sessions for Ruby web applications using a DynamoDB backend. It is compatible with all Rack based frameworks including Rails.

A DynamoDB backend provides scaling and centralized data benefits for session storage with more ease than other containers, like local servers or cookies. Once an application scales beyond a single web server, session data will need to be shared across the servers. Cookie storage places all session data on the client side, discouraging sensitive data storage. It also forces strict data size limitations. DynamoDB takes care of these concerns by allowing for a safe and scalable storage container with a much larger data size limit for session data.

For more developer information, see the Full API documentation.

Installation

Add this gem to your Rack application’s Gemfile:

gem 'aws-sessionstore-dynamodb', '~> 3'

If you are using Rails, please include the aws-sdk-rails gem for extra functionality, including generators for the session table, ActionDispatch Session integration, a garbage collection Rake task, and more:

gem 'aws-sdk-rails', '~> 4'

Configuration

A number of options are available to be set in Aws::SessionStore::DynamoDB::Configuration, which is used throughout the application. These options can be set directly in Ruby code, in ENV variables, or in a YAML configuration file, in order of precedence.

The full set of options along with defaults can be found in the Configuration documentation.

Environment Options

All Configuration options can be loaded from the environment except for :dynamo_db_client and :error_handler, which must be set in Ruby code directly if needed. The environment options must be prefixed with AWS_DYNAMO_DB_SESSION_ and then the name of the option:

AWS_DYNAMO_DB_SESSION_<name-of-option>

The example below would be a valid way to set the session table name:

export AWS_DYNAMO_DB_SESSION_TABLE_NAME='your-table-name'

YAML Configuration

You can create a YAML configuration file to set the options. The file must be passed into Configuration as the :config_file option or with the AWS_DYNAMO_DB_SESSION_CONFIG_FILE environment variable.

Creating the session table

After installation and configuration, you must create the session table using the following Ruby methods:

options = { table_name: 'your-table-name' } # overrides from YAML or ENV
Aws::SessionStore::DynamoDB::Table.create_table(options)
Aws::SessionStore::DynamoDB::Table.delete_table(options)

Usage

Run the session store as a Rack middleware in the following way:

require 'aws-sessionstore-dynamodb'
require 'some_rack_app'

options = { :secret_key => 'secret' } # overrides from YAML or ENV

use Aws::SessionStore::DynamoDB::RackMiddleware.new(options)
run SomeRackApp

Note that :secret_key is a mandatory configuration option that must be set.

RackMiddleware inherits from the Rack::Session::Abstract::Persisted class, which also includes additional options (such as :key) that can be set.

The RackMiddleware inherits from the Rack::Session::Abstract::Persisted class, which also includes additional options (such as :key) that can be passed into the class.

Garbage Collection

By default sessions do not expire. You can use :max_age and :max_stale to configure the max age or stale period of a session.

You can use the DynamoDB Time to Live (TTL) feature on the expire_at attribute to automatically delete expired items, saving you the trouble of manually deleting them and reducing costs.

If you wish to delete old sessions based on creation age (invalidating valid sessions) or if you want control over the garbage collection process, you can create your own Rake task:

desc 'Perform Garbage Collection'
task :clean_session_table do
  options = { max_age: 3600*24, max_stale: 5*3600 } # overrides from YAML or ENV
  Aws::SessionStore::DynamoDB::GarbageCollection.collect_garbage(options)
end

The above example will clear sessions older than one day or that have been stale for longer than an hour.

Error Handling

You can pass in your own error handler for raised exceptions or you can allow the default error handler to them for you. See the BaseHandler documentation for more details on how to create your own error handler.