akka-http is an Akka
module, originating from spray.io, for building reactive REST services with an elegant DSL.
akka-http is a great toolkit for building backends for single-page or mobile applications. In almost all apps there
is a need to maintain user sessions, make sure session data is secure and cannot be tampered with.
akka-http-session provides directives for client-side session management in web and mobile applications, using cookies
or custom headers + local storage, with optional Json Web Tokens format support.
A comprehensive FAQ is available, along with code examples (in Java, but easy to translate to Scala) which answers many common questions on how sessions work, how to secure them and implement using akka-http.
Session data typically contains at least the id or username of the logged in user. This id must be secured so that a
session cannot be "stolen" or forged easily.
Sessions can be stored on the server, either in-memory or in a database, with the session id sent to the client,
or entirely on the client in a serialized format. The former approach requires sticky sessions or additional shared
storage, while using the latter (which is supported by this library) sessions can be easily deserialized on any server.
A session is a string token which is sent to the client and should be sent back to the server on every request.
To prevent forging, serialized session data is signed using a server secret. The signature is appended to the session data that is sent to the client, and verified when the session token is received back.
- type-safe client-side sessions
- sessions can be encrypted
- sessions contain an expiry date
- cookie or custom header transport
- support for JWT
- refresh token support (e.g. to implement "remember me")
- CSRF tokens support
- Java & Scala APIs
- CORS Support
- Akka Client Support
- AKKA low level and higher level apis