httpsgithu
diff --git a/‎jooby/src/main/java/io/jooby/Router.java‎
Lines changed: 2 additions & 2 deletions b/‎jooby/src/main/java/io/jooby/Router.java‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎jooby/src/main/java/io/jooby/Session.java‎
Lines changed: 11 additions & 1 deletion b/‎jooby/src/main/java/io/jooby/Session.java‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎jooby/src/main/java/io/jooby/SessionOptions.java‎
Lines changed: 5 additions & 1 deletion b/‎jooby/src/main/java/io/jooby/SessionOptions.java‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎jooby/src/main/java/io/jooby/SessionStore.java‎
Lines changed: 76 additions & 23 deletions b/‎jooby/src/main/java/io/jooby/SessionStore.java‎
Lines changed: 76 additions & 23 deletions
diff --git a/‎jooby/src/main/java/io/jooby/SessionToken.java‎
Lines changed: 82 additions & 9 deletions b/‎jooby/src/main/java/io/jooby/SessionToken.java‎
Lines changed: 82 additions & 9 deletions
@@ -682,9 +682,9 @@ default Router error(@Nonnull Predicate<StatusCode> predicate,
    * @param converter Custom value converter.
    * @return This router.
    */
-  @Nonnull Router converter(@Nonnull ValueConverter converter);/**
+  @Nonnull Router converter(@Nonnull ValueConverter converter);
 
-   /**
+  /**
    * Add a custom bean value converter.
    *
    * @param converter Custom value converter.
 
@@ -207,14 +207,24 @@ public interface Session {
   /**
    * Creates a new session.
    *
+   * @param ctx Web context.
    * @param id Session ID.
    * @return A new session.
    */
   static @Nonnull Session create(@Nonnull Context ctx, @Nonnull String id) {
     return new SessionImpl(ctx, id);
   }
 
-  static @Nonnull Session create(@Nonnull Context ctx, @Nonnull String id, @Nonnull Map<String, String> data) {
+  /**
+   * Creates a new session.
+   *
+   * @param ctx Web context.
+   * @param id Session ID.
+   * @param data Session attributes.
+   * @return A new session.
+   */
+  static @Nonnull Session create(@Nonnull Context ctx, @Nonnull String id,
+      @Nonnull Map<String, String> data) {
     return new SessionImpl(ctx, id, data);
   }
 }
@@ -26,7 +26,11 @@ public class SessionOptions {
 
   private final SessionStore store;
 
-  public SessionOptions(SessionStore store) {
+  /**
+   *
+   * @param store
+   */
+  public SessionOptions(@Nonnull SessionStore store) {
     this.store = store;
   }
 
 
@@ -5,11 +5,11 @@
  */
 package io.jooby;
 
+import io.jooby.internal.CookieSessionStore;
 import io.jooby.internal.MemorySessionStore;
 
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
-import java.time.Duration;
 import java.time.Instant;
 
 /**
@@ -20,62 +20,115 @@
  */
 public interface SessionStore {
 
-  Cookie SID = new Cookie("jooby.sid")
-      .setMaxAge(Duration.ofSeconds(-1))
-      .setHttpOnly(true)
-      .setPath("/");
-
-  @Nonnull SessionToken getSessionToken();
-
   /**
    * Creates a new session. This method must:
    *
    * - Set session as new {@link Session#setNew(boolean)}
-   * - Set session creation time {@link Session#setCreationTime(Instant)}
-   * - Set session last accessed time {@link Session#setLastAccessedTime(Instant)}
+   * - Optionally, set session creation time {@link Session#setCreationTime(Instant)}
+   * - Optionally, set session last accessed time {@link Session#setLastAccessedTime(Instant)}
    *
-   * @param id Session ID.
+   * @param ctx Web context.
    * @return A new session.
    */
   @Nonnull Session newSession(@Nonnull Context ctx);
 
   /**
    * Find an existing session by ID. For existing session this method must:
    *
-   * - Retrieve/restore session creation time
-   * - Set session last accessed time {@link Session#setLastAccessedTime(Instant)}
+   * - Optionally, Retrieve/restore session creation time
+   * - Optionally, Set session last accessed time {@link Session#setLastAccessedTime(Instant)}
    *
-   * @param id Session ID.
+   * @param ctx Web context.
    * @return An existing session or <code>null</code>.
    */
   @Nullable Session findSession(@Nonnull Context ctx);
 
   /**
    * Delete a session from store. This method must NOT call {@link Session#destroy()}.
    *
-   * @param id Session ID.
+   * @param ctx Web context.
+   * @param session Current session.
    */
-  void deleteSession(@Nonnull Context ctx);
+  void deleteSession(@Nonnull Context ctx, @Nonnull Session session);
+
+  /**
+   * Session attributes/state has changed. Every time a session attribute is put or removed it,
+   * this method is executed as notification callback.
+   *
+   * @param ctx Web context.
+   * @param session Current session.
+   */
+  void touchSession(@Nonnull Context ctx, @Nonnull Session session);
 
   /**
    * Save a session. This method must save:
    *
    * - Session attributes/data
-   * - Session metadata like: creationTime, lastAccessed time, etc.
+   * - Optionally set Session metadata like: creationTime, lastAccessed time, etc.
+   *
+   * This method is call after response is send to client, so context and response shouldn't be
+   * modified.
    *
-   * @param session Session to save.
+   * @param ctx Web context.
+   * @param session Current session.
    */
-  void save(@Nonnull Context ctx);
+  void saveSession(@Nonnull Context ctx, @Nonnull Session session);
 
-  static SessionStore memory() {
-    return memory(SID);
+  /**
+   * Creates a cookie based session and store data in memory. Session data is not keep after
+   * restart.
+   *
+   * It uses the default session cookie: {@link SessionToken#SID}.
+   *
+   * @return Session store.
+   */
+  static @Nonnull SessionStore memory() {
+    return memory(SessionToken.SID);
   }
 
-  static SessionStore memory(Cookie cookie) {
+  /**
+   * Creates a cookie based session and store data in memory. Session data is not keep after
+   * restart.
+   *
+   * @param cookie Cookie to use.
+   * @return Session store.
+   */
+  static @Nonnull SessionStore memory(@Nonnull Cookie cookie) {
     return memory(SessionToken.cookie(cookie));
   }
 
-  static SessionStore memory(SessionToken token) {
+  /**
+   * Creates a session store that save data in memory. Session data is not keep after restart.
+   *
+   * @param token Session token.
+   * @return Session store.
+   */
+  static @Nonnull SessionStore memory(@Nonnull SessionToken token) {
     return new MemorySessionStore(token);
   }
+
+  /**
+   * Creates a session store that save data into Cookie. Cookie data is signed it using
+   * <code>HMAC_SHA256</code>. See {@link Cookie#sign(String, String)}.
+   *
+   * @param secret Secret token to signed data.
+   * @param cookie Cookie to use.
+   * @return A browser session store.
+   */
+  static @Nonnull SessionStore cookie(@Nonnull String secret, @Nonnull Cookie cookie) {
+    return new CookieSessionStore(secret, cookie);
+  }
+
+  /**
+   * Creates a session store that save data into Cookie. Cookie data is signed it using
+   * <code>HMAC_SHA256</code>. See {@link Cookie#sign(String, String)}.
+   *
+   * It uses the default session cookie: {@link SessionToken#SID}.
+   *
+   * @param secret Secret token to signed data.
+   * @return A browser session store.
+   */
+  static @Nonnull SessionStore cookie(@Nonnull String secret) {
+    return cookie(secret, SessionToken.SID);
+  }
 }
@@ -5,20 +5,37 @@
  */
 package io.jooby;
 
+import io.jooby.internal.MultipleSessionToken;
+
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
+import java.security.SecureRandom;
+import java.time.Duration;
 
 /**
- * Find, save and delete a session token (cookie or header) into/from the web {@link Context}.
+ * Find, save and delete a session token (cookie, header, parameter, etc)
+ * into/from the web {@link Context}.
  *
  * @author edgar
  */
 public interface SessionToken {
 
+  /**
+   * Looks for a session ID from request cookie headers. This strategy:
+   *
+   * - find a token from a request cookie.
+   * - on save, set a response cookie on new sessions or when cookie has a max-age value.
+   * - on destroy, expire the cookie.
+   */
   class CookieID implements SessionToken {
 
     private final Cookie cookie;
 
+    /**
+     * Creates a Cookie ID.
+     *
+     * @param cookie Cookie to use.
+     */
     public CookieID(@Nonnull Cookie cookie) {
       this.cookie = cookie;
     }
@@ -40,11 +57,23 @@ public CookieID(@Nonnull Cookie cookie) {
     }
   }
 
+  /**
+   * Looks for a session ID from request headers. This strategy:
+   *
+   * - find a token from a request header.
+   * - on save, send the header back as response header.
+   * - on session destroy. don't send response header back.
+   */
   class HeaderID implements SessionToken {
 
     private final String name;
 
-    public HeaderID(String name) {
+    /**
+     * Creates a new Header ID.
+     *
+     * @param name Header's name.
+     */
+    public HeaderID(@Nonnull String name) {
       this.name = name;
     }
 
@@ -61,6 +90,15 @@ public HeaderID(String name) {
     }
   }
 
+  /**
+   * Default cookie for cookie based session stores.
+   * Uses <code>jooby.sid</code> as name. It never expires, use the root, only for HTTP.
+   */
+  Cookie SID = new Cookie("jooby.sid")
+      .setMaxAge(Duration.ofSeconds(-1))
+      .setHttpOnly(true)
+      .setPath("/");
+
   /**
    * Find session ID.
    *
@@ -73,35 +111,70 @@ public HeaderID(String name) {
    * Save session ID in the web context.
    *
    * @param ctx Web context.
-   * @param token
+   * @param token Token/data to save.
    */
   void saveToken(@Nonnull Context ctx, @Nonnull String token);
 
   /**
    * Delete session ID in the web context.
    *
    * @param ctx Web context.
-   * @param token Session ID to save.
+   * @param token Token/data to delete.
    */
   void deleteToken(@Nonnull Context ctx, @Nonnull String token);
 
+  /* **********************************************************************************************
+   * Factory methods
+   * **********************************************************************************************
+   */
+
   /**
-   * Create a cookie-based Session ID.
+   * Create a cookie-based Session ID. This strategy:
+   *
+   * - find a token from a request cookie.
+   * - on save, set a response cookie on new sessions or when cookie has a max-age value.
+   * - on destroy, expire the cookie.
    *
-   * @param cookie Cookie template.
-   * @return Session ID.
+   * @param cookie Cookie to use.
+   * @return Session Token.
    */
   static @Nonnull SessionToken cookie(@Nonnull Cookie cookie) {
     return new CookieID(cookie);
   }
 
   /**
-   * Create a header-based Session ID.
+   * Create a header-based Session Token. This strategy:
+   *
+   * - find a token from a request header.
+   * - on save, send the header back as response header.
+   * - on session destroy. don't send response header back.
    *
    * @param name Header name.
-   * @return Session ID.
+   * @return Session Token.
    */
   static @Nonnull SessionToken header(@Nonnull String name) {
     return new HeaderID(name);
   }
+
+  /**
+   * Combine/compose two or more session tokens. Example:
+   *
+   * <pre>{@code
+   *   SessionToken token = SessionToken.combine(
+   *       SessionToken.header("TOKEN"),
+   *       SessionToken.cookie(SID)
+   *   );
+   * }
+   * </pre>
+   *
+   * On new session, creates a response header and cookie.
+   * On save token, generates a response header or cookie based on best matches.
+   * On delete token, generates a response header or cookie based on best matches.
+   *
+   * @param tokens Tokens to use.
+   * @return A composed session token.
+   */
+  static @Nonnull SessionToken combine(@Nonnull SessionToken... tokens) {
+    return new MultipleSessionToken(tokens);
+  }
 }