Redis session storage cheatsheet.

Pattern

session:<id> → JSON or hash { user_id, exp, csrf }

import secrets

def create_session(user_id):
    sid = secrets.token_urlsafe(32)
    redis.setex(f"session:{sid}", 86400 * 7, json.dumps({"user_id": user_id}))
    return sid

def get_session(sid):
    raw = redis.get(f"session:{sid}")
    return json.loads(raw) if raw else None

def revoke(sid):
    redis.delete(f"session:{sid}")

Hash storage (richer)

def create_session(user_id):
    sid = secrets.token_urlsafe(32)
    redis.hset(f"session:{sid}", mapping={
        "user_id": user_id,
        "created": time.time(),
        "ip": request.ip,
    })
    redis.expire(f"session:{sid}", 86400 * 7)
    return sid

Sliding expiration

def touch_session(sid, ttl=86400 * 7):
    redis.expire(f"session:{sid}", ttl)

Call on each request.

User → sessions index

def create_session(user_id):
    sid = secrets.token_urlsafe(32)
    redis.setex(f"session:{sid}", 86400 * 7, user_id)
    redis.sadd(f"user_sessions:{user_id}", sid)
    return sid

def revoke_all(user_id):
    sids = redis.smembers(f"user_sessions:{user_id}")
    if sids:
        redis.unlink(*[f"session:{s}" for s in sids], f"user_sessions:{user_id}")

For “log out everywhere”.

response.set_cookie(
    "session",
    sid,
    httponly=True,
    secure=True,
    samesite="lax",
    max_age=86400 * 7,
)

Token rotation

On privilege escalation (login, role change): issue new sid, delete old.

def rotate_session(old_sid, user_id):
    new_sid = create_session(user_id)
    redis.delete(f"session:{old_sid}")
    return new_sid

Anti-fixation

Always rotate sid after login.

CSRF token

def csrf_token(sid):
    token = redis.hget(f"session:{sid}", "csrf")
    if not token:
        token = secrets.token_urlsafe(32)
        redis.hset(f"session:{sid}", "csrf", token)
    return token

Cluster note

Use hash tag for related keys to stay on same shard:

{user:1}:session
{user:1}:perms

Memory size

Sessions are tiny. Even 1M sessions of 1KB = 1GB. Plan accordingly.

Common mistakes

  • Storing too much in session.
  • No TTL → memory leak.
  • Predictable session IDs (use secrets).
  • Not rotating on login.
  • Cookie without Secure / HttpOnly.

Read this next

If you want my session store, it’s at rajpoot.dev .

Building something AI-, backend-, or data-heavy and want a second pair of eyes? I do consulting and freelance work — see my projects and ways to reach me at rajpoot.dev .