Session-aware redirects with intended URL support

8.1.0 (2026-04-09)

The Session class now provides setIntendedUrl, getIntendedUrl, pullIntendedUrl, and clearIntendedUrl methods for storing and retrieving intended redirect destinations. All stored URLs are validated against open-redirect attacks.

Redirect.getPreviousUrl is overridden via a macro to check the session for redirect.previousUrl before falling back to the Referer header.

New redirect macros:

• withIntendedUrl and toIntended for forced and voluntary login flows
• toIntendedRoute redirects to the intended URL from the session if one exists, otherwise falls back to computing a URL from a route identifier (same arguments as toRoute)

Features

• add intended URL, previous URL session override, and redirect macros (34a6872)
• add toIntendedRoute macro on Redirect (b0c4f34)

Full Changelog: v8.0.0...v8.1.0

Support for session tagging and collections and breaking changes in flash messages behavior

8.0.0 (2026-02-25)

Check all 8.0.0 pre-releases to get a better sense of changes

Features

• export session.untag via the session object (603d838)
• implement untag method for memory and redis stores (8cc39e7)
• port DB adapter + tagging to v8 (6416ebc)
• add support for tagging + SessionCollection (#94) (a51e388)
• do not flash input data for inertia requests (91b60ee), closes #89

BREAKING CHANGES

• In this release, we remove the deprecated errors property from the flash messages and you must rely on the inputErrors property instead to read input validation errors. Also, for Inertia applications, we no longer flash input data
• Flashing multipart files has no utility and just pollutes the session data store. However, if there were apps relying on flashed multipart files, then they must upgrade their apps to explicitly flash properties from the multipart file (dbbdc2c)

What's Changed

• feat: port DB adapter and Tagging to V8 by @Julien-R44 in #96

Full Changelog: v7.5.1...v8.0.0

Update dependencies

8.0.0-next.6 (2026-02-18)

Add session.untag and session.supportsTagging methods

8.0.0-next.5 (2026-02-02)

Features

• export session.untag via the session object (603d838)

Full Changelog: v8.0.0-next.4...v8.0.0-next.5

Add support for untagging a session

8.0.0-next.4 (2026-02-02)

Features

• implement untag method for memory and redis stores (8cc39e7)

Full Changelog: v8.0.0-next.3...v8.0.0-next.4

Breaking - Do not store multipart files in flash messages

8.0.0-next.3 (2026-02-01)

Features

• do not flash multipart files (dbbdc2c)

BREAKING CHANGES

• Flashing multipart files has no utility and just pollutes the session data store. However, if there were apps relying on flashed multipart files, then they must upgrade their apps to explicitly flash properties from the multipart file

Full Changelog: v8.0.0-next.2...v8.0.0-next.3

DB Adapter and Tagging support

8.0.0-next.2 (2025-12-20)

Features

• port DB adapter + tagging to v8 (6416ebc)

Bug fix around database tagging

7.7.1 (2025-12-20)

Bug Fixes

• database: preserve session tag when called before commit (f5ce7b0), closes #95

Bug fixes and update dependencies

8.0.0-next.1 (2025-12-19)

Bug Fixes

• explicitly remove maxAge and expires attributes when clearWithBrowser is enabled (7357c42)
• types issues (3303e14)

Full Changelog: v8.0.0-next.0...v8.0.0-next.1

Session Collection

Session Tagging & SessionCollection

This release adds session tagging support and a new SessionCollection API for programmatic session management.

New Features

Session Tagging

Link sessions to user IDs, enabling features like "Logout from all devices" or displaying active sessions in account settings.

// Tag the current session after login
await session.tag(String(user.id))

SessionCollection API

Manage sessions programmatically outside of HTTP requests:

import { SessionCollection } from '@adonisjs/session'

const sessionCollection = await app.container.make(SessionCollection)

await sessionCollection.get(sessionId)           // Get session data
await sessionCollection.destroy(sessionId)       // Destroy a session
await sessionCollection.tag(sessionId, userId)   // Tag a session
await sessionCollection.tagged(userId)           // Get all sessions for a user

Supported Stores

Session tagging is supported by redis, database, and memory stores only.

Database Migration

If using the database store, run node ace make:session-table for new projects, or add the user_id column to existing sessions tables:

table.string('user_id').nullable().index()

Commits

• add support for tagging + SessionCollection (#94) (a51e388)