Plain is headed towards 1.0! Subscribe for development updates →

plain.sessions

Database-backed sessions for managing user state across requests.

Overview

The plain.sessions package provides database-backed session management for Plain applications. Sessions allow you to store and retrieve arbitrary data on a per-visitor basis, using a session key stored in a cookie.

Sessions are implemented as a dictionary-like object that automatically handles persistence to the database.

Basic usage

Sessions are automatically available on request objects when the middleware is installed. You can use request.session like a standard Python dictionary:

from plain.views import View

class MyView(View):
    def get(self):
        # Store values in the session
        self.request.session['username'] = 'jane'
        self.request.session['cart_items'] = [1, 2, 3]

        # Retrieve values from the session
        username = self.request.session.get('username')
        cart_items = self.request.session.get('cart_items', [])

        # Check if a key exists
        if 'username' in self.request.session:
            # User has a session
            pass

        # Delete values from the session
        del self.request.session['cart_items']

The session data is automatically saved when you set or delete values. Sessions are stored in the database using the Session model.

Session configuration

Sessions can be configured through various settings:

# Cookie name (default: "sessionid")
SESSION_COOKIE_NAME = "sessionid"

# Age of cookie in seconds (default: 2 weeks)
SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2

# Domain for session cookie (None for standard domain cookie)
SESSION_COOKIE_DOMAIN = None

# Whether the session cookie should be secure (https:// only)
SESSION_COOKIE_SECURE = True

# The path of the session cookie
SESSION_COOKIE_PATH = "/"

# Whether to use the HttpOnly flag
SESSION_COOKIE_HTTPONLY = True

# Whether to set the flag restricting cookie leaks on cross-site requests
# Can be 'Lax', 'Strict', 'None', or False
SESSION_COOKIE_SAMESITE = "Lax"

# Whether to save the session data on every request
SESSION_SAVE_EVERY_REQUEST = False

# Whether a user's session cookie expires when the browser is closed
SESSION_EXPIRE_AT_BROWSER_CLOSE = False

Session management

The SessionStore class provides additional methods for managing sessions:

Flushing sessions

To completely remove the current session data and regenerate the session key:

# Delete all session data and get a new session key
request.session.flush()

Cycling session keys

To create a new session key while retaining the current session data (useful for security purposes):

# Keep the data but change the session key
request.session.cycle_key()

Checking if session is empty

if request.session.is_empty():
    # No session data exists
    pass

Admin interface

The package includes an admin interface for viewing and managing sessions. Sessions can be viewed in the admin panel under the "Sessions" section, where you can:

  • Search sessions by session key
  • View session creation and expiration times
  • Delete expired or unwanted sessions

The SessionAdmin viewset provides the interface for managing sessions in the admin panel.

Installation

Install the plain.sessions package from PyPI:

uv add plain.sessions

Add plain.sessions to your INSTALLED_PACKAGES and include the SessionMiddleware in your middleware:

INSTALLED_PACKAGES = [
    # ...
    "plain.sessions",
]

MIDDLEWARE = [
    # ...
    "plain.sessions.middleware.SessionMiddleware",
    # ...
]

Run migrations to create the session table:

plain migrate plain.sessions