Terminal.skills
Skills/iron-session
>

iron-session

Manage encrypted sessions in Next.js with iron-session. Use for session auth, encrypted cookies, or stateless sessions without a database.

#iron-session#sessions#nextjs#cookies#auth
terminal-skillsv1.0.0
Works with:claude-codeopenai-codexgemini-clicursor
Source

Usage

$
✓ Installed iron-session v1.0.0

Getting Started

  1. Install the skill using the command above
  2. Open your AI coding agent (Claude Code, Codex, Gemini CLI, or Cursor)
  3. Reference the skill in your prompt
  4. The AI will use the skill's capabilities automatically

Example Prompts

  • "Review the open pull requests and summarize what needs attention"
  • "Generate a changelog from the last 20 commits on the main branch"

Documentation

Overview

iron-session stores session data in encrypted, signed cookies. No database needed. AES-256 encryption + HMAC-SHA256 signing. Works with Next.js App Router and Express.

Instructions

Step 1: Configuration

typescript
import { getIronSession } from 'iron-session'
import { cookies } from 'next/headers'

interface SessionData { userId?: string; role?: string; isLoggedIn: boolean }

const options = {
  password: process.env.SESSION_SECRET!,
  cookieName: 'myapp_session',
  cookieOptions: { secure: process.env.NODE_ENV === 'production', httpOnly: true, sameSite: 'lax' as const, maxAge: 604800 },
}

export async function getSession() {
  return getIronSession<SessionData>(await cookies(), options)
}

Step 2: Login/Logout

typescript
// POST /api/auth/login
const session = await getSession()
session.userId = user.id
session.role = user.role
session.isLoggedIn = true
await session.save()

// POST /api/auth/logout
const session = await getSession()
session.destroy()

Step 3: Protected Pages

typescript
export default async function DashboardPage() {
  const session = await getSession()
  if (!session.isLoggedIn) redirect('/login')
  return <Dashboard userId={session.userId!} />
}

Guidelines

  • SESSION_SECRET: min 32 chars. Generate with openssl rand -hex 32.
  • Cookie limit is 4KB — store IDs only, not large objects.
  • Stateless = no revocation by default. Add version check for revocation.
  • Always httpOnly + secure in production.

Information

Version
1.0.0
Author
terminal-skills
Category
Development
License
Apache-2.0

Use Cases

Implement Authentication for a Next.js SaaS