Skip to content

Sessions and Cookies

Your application can have a session for each user in which you can store small amounts of data that will be persisted between requests. The session is only available in the controller and is stored using Cookies.

The cookie data is cryptographically signed to make it tamper-proof. And it is also encrypted so anyone with access to it can't read its contents. (Spider-Gazelle will not accept it if it has been edited).

  • The session cookie can store around 4kB of data.
  • Storing large amounts of data in the session is discouraged.
  • Typically store a user or session id in the session - which can be used to retrieve required data


Spider-Gazelle sets up a session key (the name of the cookie) and session secret when signing the session data. These can be changed in your applications file.

Accessing the session#

In your controller you can access the session through the session instance method.

Sessions are lazily loaded. If you don't access sessions in your action's code, they will not be loaded. Hence you will never need to disable sessions, just not accessing them will do the job.

Session values are stored using key/value pairs like a hash:

class Application < ActionController::Base

  # Finds the User with the ID stored in the session with the key
  # "current_user_id" This is a common way to handle user login in
  # a Spider-Gazelle application; logging in sets the session value
  # and logging out removes it.
  def current_user
    @current_user ||= session["user_id"]? &&

To store something in the session, just assign it to the key like a hash:

class LoginController < Application
  # "Create" a login, aka "log the user in"
  def create(username : String, password : String) : Nil
    if user = User.authenticate(username, password)
      # Save the user ID in the session so it can be used in
      # subsequent requests
      session["user_id"] =

To remove something from the session, assign that key to be nil:

class LoginController < Application
  # "Delete" a login, aka "log the user out"
  def destroy
    # Remove the user id from the session
    @current_user = session[:user_id] = nil

To reset the entire session, use session.clear.


Your application can store small amounts of data on the client - called cookies - that will be persisted across requests and even sessions. Spider-Gazelle provides easy access to cookies via the cookies method, which - much like the session - works like a hash:

class CommentsController < Application

  def new
    # Auto-fill the commenter's name if it has been stored in a cookie
    comment = cookies["commenter_name"])

  @[AC::Route::POST("/", body: :comment)]
  def create(comment : Comment, remember_name : Bool = false)!
    if remember_name
      # Remember the commenter's name.
      cookies["commenter_name"] =
      # Delete cookie for the commenter's name cookie, if any.