> iron-session
Manage encrypted sessions in Next.js with iron-session. Use for session auth, encrypted cookies, or stateless sessions without a database.
curl "https://skillshub.wtf/TerminalSkills/skills/iron-session?format=md"iron-session
Overview
iron-session stores session data in encrypted, signed cookies. No database needed. AES-256 encryption + HMAC-SHA256 signing. Works with Next.js App Router and Express.
Instructions
Step 1: Configuration
import { getIronSession } from 'iron-session'
import { cookies } from 'next/headers'
interface SessionData { userId?: string; role?: string; isLoggedIn: boolean }
const options = {
password: process.env.SESSION_SECRET!,
cookieName: 'myapp_session',
cookieOptions: { secure: process.env.NODE_ENV === 'production', httpOnly: true, sameSite: 'lax' as const, maxAge: 604800 },
}
export async function getSession() {
return getIronSession<SessionData>(await cookies(), options)
}
Step 2: Login/Logout
// POST /api/auth/login
const session = await getSession()
session.userId = user.id
session.role = user.role
session.isLoggedIn = true
await session.save()
// POST /api/auth/logout
const session = await getSession()
session.destroy()
Step 3: Protected Pages
export default async function DashboardPage() {
const session = await getSession()
if (!session.isLoggedIn) redirect('/login')
return <Dashboard userId={session.userId!} />
}
Guidelines
- SESSION_SECRET: min 32 chars. Generate with
openssl rand -hex 32. - Cookie limit is 4KB — store IDs only, not large objects.
- Stateless = no revocation by default. Add version check for revocation.
- Always httpOnly + secure in production.
> related_skills --same-repo
> zustand
You are an expert in Zustand, the small, fast, and scalable state management library for React. You help developers manage global state without boilerplate using Zustand's hook-based stores, selectors for performance, middleware (persist, devtools, immer), computed values, and async actions — replacing Redux complexity with a simple, un-opinionated API in under 1KB.
> zod
You are an expert in Zod, the TypeScript-first schema declaration and validation library. You help developers define schemas that validate data at runtime AND infer TypeScript types at compile time — eliminating the need to write types and validators separately. Used for API input validation, form validation, environment variables, config files, and any data boundary.
> xero-accounting
Integrate with the Xero accounting API to sync invoices, expenses, bank transactions, and contacts — and generate financial reports like P&L and balance sheet. Use when: connecting apps to Xero, automating bookkeeping workflows, syncing accounting data, or pulling financial reports programmatically.
> windsurf-rules
Configure Windsurf AI coding assistant with .windsurfrules and workspace rules. Use when: customizing Windsurf for a project, setting AI coding standards, creating team-shared Windsurf configurations, or tuning Cascade AI behavior.