Redis session store with redis-py
Implement a Redis-backed session store in Python with redis-py
This guide shows you how to implement a Redis-backed session store in Python with redis-py. It includes a small local web server built with the Python standard library so you can see the session lifecycle end to end.
Overview
Session storage is a common Redis use case for web applications. Instead of keeping session state in local process memory, you store it in Redis and send the browser only an opaque session ID in a cookie.
That gives you:
- Shared sessions across multiple app servers
- Automatic expiration using Redis TTLs
- Fast reads and updates for small pieces of per-user state
- A clean separation between browser cookies and server-side session data
In this example, each session is stored as a Redis hash with a key like session:{session_id}. The hash holds lightweight fields such as the username, page view count, timestamps, and the configured session TTL. The key also has an expiration so inactive sessions are removed automatically.
How it works
The flow looks like this:
- A user submits a login form
- The server generates a random session ID with Python's
secretsmodule - The server stores session data in Redis under
session:{id} - The server sends a
sidcookie containing only the session ID - Later requests read the cookie, load the hash from Redis, and refresh the TTL
- Logging out deletes the Redis key and clears the cookie
Because the cookie only contains an opaque identifier, the browser never receives the actual session data. That stays in Redis.
The Python session store
The RedisSessionStore class wraps the basic session operations
(source):
import redis
from session_store import RedisSessionStore
r = redis.Redis(host="localhost", port=6379, decode_responses=True)
store = RedisSessionStore(redis_client=r, ttl=1800)
session_id = store.create_session(
{
"username": "andrew",
"page_views": "0",
}
)
session = store.get_session(session_id)
print(session["username"])
store.increment_field(session_id, "page_views")
store.delete_session(session_id)
Data model
Each session is stored in a Redis hash:
session:abc123...
username = andrew
page_views = 3
session_ttl = 15
created_at = 2026-04-02T12:34:56+00:00
last_accessed_at = 2026-04-02T12:40:10+00:00
The implementation uses:
HSETto create and update session fieldsHGETALLto load the sessionHINCRBYto update countersEXPIREto implement sliding expirationDELto remove a session on logout
The store treats created_at, last_accessed_at, and session_ttl as reserved internal fields, so caller-provided session data cannot overwrite them.
Session store implementation
The create_session() method generates a random session ID, writes the initial hash fields, and sets the TTL:
def create_session(
self,
data: Optional[dict[str, str]] = None,
ttl: Optional[int] = None,
) -> str:
session_id = secrets.token_urlsafe(32)
key = self._session_key(session_id)
now = self._timestamp()
session_ttl = self._normalize_ttl(ttl)
payload = {}
if data:
payload.update(
{
field: str(value)
for field, value in data.items()
if field not in RESERVED_SESSION_FIELDS
}
)
payload.update(
{
"created_at": now,
"last_accessed_at": now,
"session_ttl": str(session_ttl),
}
)
pipeline = self.redis.pipeline()
pipeline.hset(key, mapping=payload)
pipeline.expire(key, session_ttl)
pipeline.execute()
return session_id
When the application reads a session, it refreshes the configured TTL so active users stay logged in:
def get_session(self, session_id: str, refresh_ttl: bool = True) -> Optional[dict[str, str]]:
key = self._session_key(session_id)
session_ttl = self.get_configured_ttl(session_id)
if session_ttl is None:
return None
if not refresh_ttl:
session = self.redis.hgetall(key)
return session or None
now = self._timestamp()
pipeline = self.redis.pipeline()
pipeline.hset(key, mapping={"last_accessed_at": now})
pipeline.expire(key, session_ttl)
pipeline.hgetall(key)
_, _, session = pipeline.execute()
return session or None
This is a simple and effective pattern for many apps. For more complex requirements, you might add separate metadata keys, rotate session IDs after login, or store less frequently accessed data elsewhere.
Prerequisites
Before running the demo, make sure that:
- Redis is running and accessible. By default, the demo connects to
localhost:6379. - The
redisPython package is installed:
pip install redis
If your Redis server is running elsewhere, start the demo with --redis-host and --redis-port.
Running the demo
A local demo server is included to show the session store in action (source):
python demo_server.py
The demo server uses only Python standard library features for HTTP handling:
http.serverfor the web serverhttp.cookiesfor cookie parsing and response cookiesurllib.parsefor form decoding
It exposes a small interactive page where you can:
- Start a session with a username
- Choose a short TTL and watch the session expire
- See the Redis-backed session data rendered in the browser
- Increment a page-view counter stored in Redis
- Change the active session TTL from the page
- Log out and delete the session
After starting the server, visit http://localhost:8080.
Cookie handling
The browser cookie should contain only the session ID:
cookie = SimpleCookie()
cookie["sid"] = session_id
cookie["sid"]["path"] = "/"
cookie["sid"]["httponly"] = True
cookie["sid"]["samesite"] = "Lax"
Avoid storing user profiles, roles, or other sensitive session data directly in cookies. Keep that information in Redis and let the cookie act only as a lookup token.
Production usage
This guide uses a deliberately small local demo so you can focus on the Redis session pattern. In production, you will usually want to harden the cookie, session lifecycle, and deployment details around it.
Secure the session cookie
Set cookie attributes that match your deployment and threat model:
- Keep
HttpOnlyenabled so JavaScript cannot read the session cookie - Use the
Secureattribute when serving your app over HTTPS - Choose an appropriate
SameSitepolicy for your login flow and cross-site behavior - Consider a browser cookie lifetime that matches how you want the session to behave on the client side
Rotate session IDs after authentication changes
When a user logs in, logs out, or their privilege level changes, consider rotating to a new session ID instead of continuing to use the existing one. This reduces the risk of session fixation and gives you a clean point to re-issue the browser cookie.
Store only small, frequently accessed session data
Redis-backed sessions work well for small, frequently accessed state such as:
- User identifiers
- Lightweight preferences
- CSRF-related state
- Simple counters or timestamps
Avoid treating the session as a general-purpose profile store. Large or rarely used data is often better kept in your main database or another dedicated store.
Add CSRF protection when needed
If your application uses cookie-based authentication, make sure your form and API design includes appropriate CSRF protections where needed. The right approach depends on your framework, request patterns, and whether the application accepts cross-site requests.
Namespace session keys in shared Redis deployments
If multiple applications or environments share the same Redis deployment, use a clear key prefix strategy such as session:app-a: or session:staging:. Namespacing helps avoid collisions, simplifies cleanup, and makes it easier to inspect keys during operations or debugging.
Inspect sessions directly in Redis
When testing or troubleshooting, inspect the stored session key directly to confirm that the application is writing the fields and TTL you expect. For example, after creating a session, you can verify the hash contents and expiration with redis-cli:
redis-cli HGETALL session:<session_id>
redis-cli TTL session:<session_id>
Learn more
- redis-py guide - Install and use the Python Redis client
- EXPIRE command - Set key expiration
- HSET command - Set hash fields
- HGETALL command - Read a full session hash
- HINCRBY command - Increment counters in a session