Skills iron-session
install
source · Clone the upstream repo
git clone https://github.com/TerminalSkills/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/TerminalSkills/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/iron-session" ~/.claude/skills/terminalskills-skills-iron-session && rm -rf "$T"
manifest:
skills/iron-session/SKILL.mdsafety · automated scan (low risk)
This is a pattern-based risk scan, not a security review. Our crawler flagged:
- references .env files
Always read a skill's source content before installing. Patterns alone don't mean the skill is malicious — but they warrant attention.
source content
iron-session
Overview
iron-session stores session data in encrypted, signed cookies. No database needed. AES-256 encryption + HMAC-SHA256 signing. Works with Next.js App Router and Express.
Instructions
Step 1: Configuration
import { getIronSession } from 'iron-session' import { cookies } from 'next/headers' interface SessionData { userId?: string; role?: string; isLoggedIn: boolean } const options = { password: process.env.SESSION_SECRET!, cookieName: 'myapp_session', cookieOptions: { secure: process.env.NODE_ENV === 'production', httpOnly: true, sameSite: 'lax' as const, maxAge: 604800 }, } export async function getSession() { return getIronSession<SessionData>(await cookies(), options) }
Step 2: Login/Logout
// POST /api/auth/login const session = await getSession() session.userId = user.id session.role = user.role session.isLoggedIn = true await session.save() // POST /api/auth/logout const session = await getSession() session.destroy()
Step 3: Protected Pages
export default async function DashboardPage() { const session = await getSession() if (!session.isLoggedIn) redirect('/login') return <Dashboard userId={session.userId!} /> }
Guidelines
- SESSION_SECRET: min 32 chars. Generate with
.openssl rand -hex 32 - Cookie limit is 4KB — store IDs only, not large objects.
- Stateless = no revocation by default. Add version check for revocation.
- Always httpOnly + secure in production.