Session management?

Any recommendations on how to do admin session management in Cloudflare workers in combination with KV?

Seems like the only way forward is to build a library for it ourselves. Which is, risky…

Hey @thomas4,

Depends what you’re trying to achieve and how, could you elaborate a bit more?

I’ve managed to Authenticate users, store encrypted hashes and now i need to add session tracking.

So, create a session cookie and store it on the user in the KV and validate it on each request.

I managed to get JWT tokens working, but it causes a lot of security issues that makes sessions much more suitable for what I’m building.

Yes you can basically save those sessions in KV and revalidate them based on the value of the provided cookie by your users, in addition with the crypto API you can validate them directly via workers.

Here is the implementation reference in workers:

One downside though is that you can revalidate the session embedding the expiration parameter in the hash but there is no way to expire the KV values so you’ll need to recycle them once they’re not used anymore, this is the plan to affect kind of a TTL to them and provide a query language to take bulk actions on KV keys.

I hope it makes sense,

Thanks, so would this be enough to handle sessions then?

  1. Create a cryptographically unique string with Web Crypto - after the user is authenticated.
  2. Store the unique string on the users KV Key value together with an Expiry date.
  3. Return the cookie to the user in the header and add set HttpOnly;SameSite=strict;secure; for XSS and CSRF protection.
  4. Validate the session cookie on each request by checking the unique string and expiry date.

Would be sufficient for session management yes (on the paper), now is it gonna be flexible and robust? Some test would confirm this. During the beta the KV entries are limited to 1000 and the replication time across our whole platform could be up to ~5 seconds, just so you know.

Now if you’ve a list of authorised unique string associated to an expiry date it wouldn’t allow you to manage role based access as KV is just 2 dimensions, don’t know if this is a requirement for you.

I’m aware of the current restrictions and will add tests in the code to check for unavailable keys and such, shouldn’t be super hard to handle. Yes, 1000 KV entries are more than enough, I’m hoping the limits will be relaxed before the year is out and we go into production. On the tests I’ve done from browsers, it never changes to a different CF datacenter during the lifetime of a session and even if it does, it switches to a close one - so it should be much less than ~5 seconds max.

I’m aware that the value is only a string, but it can be JSON stringified to store more data and the 64KB limit will be more than enough for session tokens, expiry dates and other meta-data for this project.

Great! Yeah the limit will be raised to 1B for GA. Indeed the values could be JSON stringified and the limit is 64KB (no plan to raise it for now) so way enough to store some metadata alongside the tokens, but would need us to fetch the role information from somewhere. We could also think about having two KVs binded to your Workers environment to have kind of a relational DB to affect and apply role based and metas for the sessions.

Let me know how it goes, have you got KV access already?

I’m not sure why there is a 64KB limit, is it speed/price? Because having at least 100KB would enable us to use it for HTML blocks or templates, 64KB is too small for those use-cases.

For roles, I planned on using a separate KV Namespace.

Yes, I’ve had it for a while now and been doing some experiments :slight_smile:

Maybe because we don’t want our customer to use us as an Origin yet :slight_smile:

I said no plan for now, which doesn’t meant that we won’t ever increase this limit. It’s been 2 years that I’m at Cloudflare and I learnt to not make strong assertion on our roadmap, I’m always surprised :slight_smile:

OK sounds good then, let us know if you need extra guidance or if you have any feedbacks on workers or KV!

1 Like

Haha, yeah that makes perfect sense :slight_smile:

Yeah, I’ve not even used Cloudflare before you release Workers - now i have most things on CF :wink:

In short, I love what you guys are doing, just keep it up!

I’ll keep you updated! Thanks for the swift help, very appreciated.

Is it possible to do anonymous sessions?

I built Stateless session utility using signed and encrypted cookies to store data. Works with WebCrypt API on Cloudflare Workers.

It allows to management session without R2 or Durable Objects.

I hope it helps to resolve this probrem.

Live demo:

Currently, everybody can sign in with any username.
I am going to built more practical sign-up / sign-in feature with this library when I’ll be able to access to Cloudflare D1

Appreciate the work… but can you please explain how is this a “session” when you are creating and storing a cookie and checking that cookie existence? How is that a “session”…?