Module Contents



Store Sessions inside the datastore.



Invalidates all active sessions for the given user.


Removes old (expired) Sessions

class core.session.Session

Store Sessions inside the datastore. The behaviour of this module can be customized in the following ways:

  • :prop:sameSite can be set to None, “none”, “lax” or “strict” to influence the same-site tag on the cookies

    we set

  • :prop:sessionCookie is set to True by default, causing the cookie to be treated as a session cookie (it will

    be deleted on browser close). If set to False, it will be emitted with the life-time in conf[“viur.session.lifeTime”].

  • The config variable conf[“viur.session.lifeTime”]: Determines, how ling (in Minutes) a session stays valid.

    Even if :prop:sessionCookie is set to True, we’ll void a session server-side after no request has been made within said lifeTime.

  • The config variables conf[“viur.session.persistentFieldsOnLogin”] and

    conf[“viur.session.persistentFieldsOnLogout”] lists fields, that may survive a login/logout action. For security reasons, we completely destroy a session on login/logout (it will be deleted, a new empty database object will be created and a new cookie with a different key is sent to the browser). This causes all data currently stored to be lost. Only keys listed in these variables will be copied into the new session.

kindName = 'viur-session'
sameSite = 'lax'
sessionCookie = True
GUEST_USER = '__guest__'
load(req: viur.core.request.BrowseHandler)

Initializes the Session.

If the client supplied a valid Cookie, the session is read from the datastore, otherwise a new, empty session will be initialized.

save(req: viur.core.request.BrowseHandler)

Writes the session into the database.

Does nothing, in case the session hasn’t been changed in the current request.

__contains__(key: str) bool

Returns True if the given key is set in the current session.

__delitem__(key: str) None

Removes a key from the session.

This key must exist.

__getitem__(key) Any

Returns the value stored under the given key.

The key must exist.

__ior__(other: dict)

Merges the contents of a dict into the session.

get(key: str, default: Any = None) Any

Returns the value stored under the given key.

  • key – Key to retrieve from the session variables.

  • default – Default value to return when key does not exist.

__setitem__(key: str, item: Any)

Stores a new value under the given key.

If that key exists before, its value is overwritten.

markChanged() None

Explicitly mark the current session as changed. This will force save() to write into the datastore, even if it believes that this session hasn’t changed.

reset() None

Invalidates the current session and starts a new one.

This function is especially useful at login, where we might need to create an SSL-capable session.


Everything is flushed.

items() dict_items

Returns all items in the current session.

getSecurityKey() str | None
validateSecurityKey(key: str) bool

Checks if key matches the current CSRF-Token of our session. On success, a new key is generated.

validateStaticSecurityKey(key: str) bool

Checks if key matches the current static CSRF-Token of our session.

core.session.killSessionByUser(user: str | viur.core.db.Key | None = None)

Invalidates all active sessions for the given user.

This means that this user is instantly logged out. If no user is given, it tries to invalidate all active sessions.

Use “__guest__” to kill all sessions not associated with a user.


user – UserID, “__guest__” or None.


Removes old (expired) Sessions