session-management — quality + safety report
In the Skillier index (secondsky__session-management) · scanned 2026-06-03 · engine: builtin+triage
✓ Clean — no heuristic safety flags surfaced.
Heuristic flags from the builtin scanner, which is known to over-flag (it trips on legitimate env-reading integrations, security skills, and library .eval calls). This is NOT an authoritative malicious verdict — re-scan with SkillSpector for the authoritative result. Run the authoritative scan →
📇 This skill is in the Skillier index (curated · deduped · quality-filtered). Install Skillier to route & load it into your AI client.
Quality notes
No quality issues flagged. ✓
About this skill
Implements secure session management with JWT tokens, Redis storage, refresh flows, and proper cookie configuration. Use when building authentication systems, managing user sessions, or implementing secure logout functionality.
📄 Read the SKILL.md
---
name: session-management
description: Implements secure session management with JWT tokens, Redis storage, refresh flows, and proper cookie configuration. Use when building authentication systems, managing user sessions, or implementing secure logout functionality.
license: MIT
---
# Session Management
Implement secure session management with proper token handling and storage.
## Token-Based Sessions
```javascript
const jwt = require('jsonwebtoken');
function generateTokens(user) {
const accessToken = jwt.sign(
{ userId: user.id, role: user.role, type: 'access' },
process.env.JWT_SECRET,
{ expiresIn: '1h' }
);
const refreshToken = jwt.sign(
{ userId: user.id, type: 'refresh' },
process.env.REFRESH_SECRET,
{ expiresIn: '7d' }
);
return { accessToken, refreshToken };
}
```
## Redis Session Storage
```javascript
const redis = require('redis');
const client = redis.createClient();
class SessionStore {
async create(userId, sessionData) {
const sessionId = crypto.randomUUID();
await client.hSet(`sessions:${userId}`, sessionId, JSON.stringify({
...sessionData,
createdAt: Date.now()
}));
await client.expire(`sessions:${userId}`, 86400 * 7);
return sessionId;
}
async invalidateAll(userId) {
await client.del(`sessions:${userId}`);
}
}
```
## Cookie Configuration
```javascript
app.use(session({
name: 'session',
secret: process.env.SESSION_SECRET,
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge: 3600000, // 1 hour
domain: '.example.com'
},
resave: false,
saveUninitialized: false
}));
```
## Token Refresh Flow
```javascript
app.post('/auth/refresh', async (req, res) => {
const { refreshToken } = req.cookies;
try {
const payload = jwt.verify(refreshToken, process.env.REFRESH_SECRET);
if (payload.type !== 'refresh') throw new Error('Invalid token type');
const user = await User.findById(payload.userId);
const tokens = generateTokens(user);
res.cookie('accessToken', tokens.accessToken, cookieOptions);
res.json({ success: true });
} catch (err) {
res.status(401).json({ error: 'Invalid refresh token' });
}
});
```
## Security Requirements
- Use HTTPS exclusively
- Set httpOnly and sameSite on cookies
- Implement proper token expiration
- Use strong, unique secrets per environment
- Validate signatures on every request
## Never Do
- Store sensitive data in tokens
- Transmit tokens via URL parameters
- Use weak or shared secrets
- Skip signature validationWant a live grade + an embeddable README badge? Run your skill through the free scanner.
Graded independently by Skillproof — nothing to sell the author. Quality is mechanical + corpus-grounded; safety flags are heuristic (builtin+triage), not a malicious verdict.