  • Supports base64 sessions
  • Supports JWT signed sessions
  • Supports Fernet encrypted sessions


  • python >= 3.8


Muffin-Session should be installed using pip: :

pip install muffin-session

# Optional extras
pip install muffin-session[fernet]


  1. Use it manually
from muffin import Application, ResponseHTML
from muffin_session import Plugin as Session

# Create Muffin Application
app = Application('example')

# Initialize the plugin
# As alternative: session = Session(app, **options)
session = Session()
session.setup(app, secret_key='REALLY_SECRET_KEY_FOR_SIGN_YOUR_SESSIONS')

# Use it inside your handlers
async def update_session(request):
    ses = session.load_from_request(request)
    ses['var'] = 'value'
    response = ResponseHTML('Session has been updated')
    session.save_to_response(ses, response)
    return res

async def load_session(request):
    ses = session.load_from_request(request)
    return ses.get('var')
  1. Auto manage sessions (with middleware)
from muffin import Application, ResponseHTML
from muffin_session import Plugin as Session

# Create Muffin Application
app = Application('example')

# Initialize the plugin
# As alternative: session = Session(app, **options)
session = Session()
session.setup(app, secret_key='REALLY_SECRET_KEY_FOR_SIGN_YOUR_SESSIONS', auto_manage=True)

# Use it inside your handlers
async def update_session(request):
    request.session['var'] = 'value'
    return 'Session has been updated'

async def load_session(request):
    return request.session.get('var')


Name Default value Description
session_type "jwt" Session type (base64|jwt|fernet)
secret_key "InsecureSecret" A secret code to sign sessions
auto_manage False Load/Save sessions automatically. Session will be loaded into request.session

cookie_name cookie_params


Sessions's cookie name (session) Sessions's cookie params ({'path': '/', 'max-age': None, 'samesite': 'lax', 'secure': False})

default_user_checker lambda x: True A function to check a logged user
login_url "/login" An URL to redirect anonymous users (it may be a function which accept Request and returns a string)

You are able to provide the options when you are initiliazing the plugin:

session.setup(app, secret_key='123455', cookie_name='info')

Or setup it inside Muffin.Application config using the SESSION_ prefix:



Muffin.Application configuration options are case insensitive


from muffin import Application, ResponseHTML
from muffin_session import Plugin as Session

# Create Muffin Application
app = Application('example')

# Initialize the plugin
# As alternative: session = Session(app, **options)
session = Session()
session.setup(app, secret_key='REALLY_SECRET_KEY_FOR_SIGN_YOUR_SESSIONS', auto_manage=True)

async def load_user(ident):
    """Define your own user loader. """
    return await my_database_load_user_by_id(ident)

async def get_session(request):
    """ Load session and return it as JSON. """
    return dict(request.session)

@session.user_pass(lambda user: user.is_admin)
async def admin(request):
    """Awailable for admins only. """
    return 'TOP SECRET'

async def login(request):
    """Save user id into the current session. """
    # ...
    session.login(request, current_user.pk)
    return 'OK'

async def logout(request):
    """ Logout user. """
    # ...
    return 'OK'

async def somewhere(request):
    """ Do something and leave a flash message """
    # ...
    return 'OK'

