Plug.Session options as module attribute for Phoenix.LiveView!?

Good afternoon folks

I’ve been playing around with LiveView for a few days now and I have to admit it’s changing my approach to many use cases for client projets!

There is one thing I can wrap my head around: configuration for the production release; let me explain…

  1. In our actual way of packaging releases in Docker images, following 12-Factor App principles, the Plug.Session gets it’s key and signing_salt options from environment variables with Application.get_env/3.
  1. The LiveView documentation says to extract the @session_options to a module attribute…

As module attribute, options are expanded at compile time! It works locally for development purposes since the same variables are used at both compile time and runtime, but breaks during the docker build… of the CI workflow because SESSION_KEY and SIGNING_SALT are not available!

I looked at the code in Phoenix and Plug.Session to understand if there is a different way to configure the socket session callback, but came out clear the
session needs to be a Map…

Is it considered good practice to bake the session key and signing_salt in a version binaries, meaning we would have to build a new Docker image to change those value?

1 Like

@chrismccord, @josevalim, @snewcomer I’m curious to get your opinion on ^this?

On Phoenix master we allow the session connect_info to be an MFA, so stay tuned.


Did a little research for reference to anyone finding this post in the future!

Here’s the code in Phoenix.Socket.Transport to support a {MFA} 3-tuple to initialize the session configuration:

The original issue:

And the pull request adding the feature:

@chrismccord Even with MFA, it looks like the configuration still is compile time!

The before_compile macro expands to private do_handler/3 functions to match on every HTTP/Socket paths.

To generate the list of sockets to loop on, socket_paths/4 invokes Phoenix.Socket.Transport.load_config/2 explicitly, thus resolving the MFA, at compile time…

A little update on my configuration issue with MFA!

I opened an issue on the Phoenix repo yesterday…

it was fixed 6h later by @josevalim :tada:

1 Like

@gcauchon How do you solve the plug Plug.Session compile-time problem?

It seems this part was solved:

@session_options {MyModule, :get_session_config, []}
socket "/live", Phoenix.LiveView.Socket,
  websocket: [connect_info: [session: @session_options]] 

But it does not seem to play nicely with this part:

plug Plug.Session, @session_options

I try to understand the explanation here:

This part:

{:session, session_config} - the session information from Plug.Conn . The session_config is an exact copy of the arguments given to Plug.Session . This requires the “_csrf_token” to be given as request parameter with the value of URI.encode_www_form(Plug.CSRFProtection.get_csrf_token()) when connecting to the socket. It can also be a MFA to allow loading config in runtime {MyAppWeb.Auth, :get_session_config, []} . Otherwise the session will be nil .

But to me this is abracadabra and I’m not sure how this relates to configuring Plug.Session at runtime.
Do you have an actual working example of configuring the session at runtime?

(probably startup time is a better term)

1 Like

I’m not using the “vanilla” Plug.Session configuration! Like for many other plugs in the default Phoenix configuration, you hate to use init/1 and call/2 explicitly to bypass the default macro expansion at compile time.

I also extracted a get_options/0 function to a separate module to be {m, f, a} compatible and am not using the module attribute because it is not required anymore!

defmodule FooWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :foo

  socket("/live", Phoenix.LiveView.Socket, 
    websocket: [
      connect_info: [
        {:session, {FooWeb.Session, :get_options, []}}



  defp session(conn, _opts) do
    opts = Plug.Session.init(FooWeb.Session.get_options()), opts)

defmodule FooWeb.Session do
  def get_options do
      store: :cookie,
      key: System.get_env("SESSION_KEY"),
      signing_salt: System.get_env("SIGNING_SALT")
1 Like

Thank you for this explanation, very useful indeed.
I wonder how System.get_env/2 performance compares to populating the application environment on startup and calling Application.get_env/3 on every request.
Not sure whether System.get_env/2 caches results and is also a single ets read once a value becomes available.

Thanks again @gcauchon, your solution works like a charm, awesome!
I decided to load session options into the application environment.
Also an inline session module will do the trick.

# MyApp.Application

def start(_type, _args) do
  Application.put_env(:my_app, :session_options, [
    store: :cookie,
    key: "session",
    signing_salt: System.fetch_env!("SESSION_SIGNING_SALT")
  children = [


Configure session at runtime.

# MyApp.Endpoint

defmodule Session do
  def options do
    Application.get_env(:my_app, :session_options)

defp session(conn, _opts) do, Plug.Session.init(


socket "/live", Phoenix.LiveView.Socket, websocket: [
  connect_info: [session: {Session, :options, []}]


plug Plug.MethodOverride
plug Plug.Head
plug MyApp.Router

1 Like

I really like the idea of reading environment variables from Application, not System. I will adopt a similar approach for sure :+1:

1 Like