diff --git a/LICENSE b/LICENSE
new file mode 100644
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,165 @@
+                  GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions. 
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version. 
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
diff --git a/Setup.hs b/Setup.hs
new file mode 100644
--- /dev/null
+++ b/Setup.hs
@@ -0,0 +1,2 @@
+import Distribution.Simple
+main = defaultMain
diff --git a/simple-session.cabal b/simple-session.cabal
new file mode 100644
--- /dev/null
+++ b/simple-session.cabal
@@ -0,0 +1,59 @@
+name:                simple-session
+version:             0.6.0
+synopsis:            Cookie-based session management for the Simple web framework
+description:
+
+  Adds cookie-based session management to simple 'Controller's. To add to an
+  application, declare the Controller setting\'s type an instance of
+  'HasSession', and wrap routes with 'withSession'. For example:
+  .
+  > data AppSettings = ...
+  >
+  > instance HasSession AppSettings where
+  >   ...
+  .
+  > controllerApp settings $ withSessions $ do
+  >   routeName \"posts\" $ ...
+  .
+  Then, in your controllers you can seemlessly get and set keys from the
+  session:
+  .
+  > get "/profile" $ do
+  >   muserId <- sessionLookup "current_user_id"
+  >   case muserIf of
+  >     Nothing -> respond $ redirectTo "/login"
+  >     Just userId -> [handle request]
+      
+homepage:            http://simple.cx
+license:             LGPL-3
+license-file:        LICENSE
+author:              Amit Aryeh Levy
+maintainer:          amit@amitlevy.com
+category:            Web
+build-type:          Simple
+cabal-version:       >=1.10
+
+library
+  hs-source-dirs: src
+  ghc-options: -Wall
+  exposed-modules:
+    Web.Simple.Session
+  build-depends:
+      base < 6
+    , blaze-builder
+    , cookie
+    , cryptohash
+    , byteable
+    , base64-bytestring
+    , bytestring
+    , containers
+    , http-types
+    , simple >= 0.6
+    , transformers
+    , wai
+  default-language:    Haskell2010
+
+source-repository head
+  type: git
+  location: anonymous@gitstar.com:alevy/simple.git
+
diff --git a/src/Web/Simple/Session.hs b/src/Web/Simple/Session.hs
new file mode 100644
--- /dev/null
+++ b/src/Web/Simple/Session.hs
@@ -0,0 +1,191 @@
+{-# LANGUAGE FlexibleInstances, OverloadedStrings #-}
+
+{- | Adds cookie-based session management to simple 'Controller's. To add to an
+  application, declare the Controller setting\'s type an instance of
+  'HasSession', and wrap routes with 'withSession'. For example:
+
+  > data AppSettings = ...
+  >
+  > instance HasSession AppSettings where
+  >   ...
+
+  > controllerApp settings $ withSessions $ do
+  >   routeName \"posts\" $ ...
+
+ -}
+module Web.Simple.Session
+  ( Session
+  -- * Class and Middleware
+  , HasSession(..), withSession
+  -- * Accessors
+  , sessionLookup, sessionInsert, sessionDelete, sessionClear
+
+  -- * Utilities
+  , session, parseSession, dumpSession, addCookie
+  ) where
+
+import Control.Monad.IO.Class
+import Blaze.ByteString.Builder
+import Crypto.Hash
+import Data.Byteable
+import Data.ByteString.Base64
+import qualified Data.ByteString as S
+import qualified Data.ByteString.Char8 as S8
+import Data.Map (Map)
+import qualified Data.Map as M
+import Network.HTTP.Types.Header
+import Network.HTTP.Types.URI
+import Web.Cookie
+import Web.Simple
+import System.Environment
+
+-- | Plaintext mapping of the session map. Both keys and values are
+-- 'S.ByteString's.
+type Session = Map S.ByteString S.ByteString
+
+-- | Instances of this class can be used as states by a 'Controller' states
+-- to manage cookie-based user sessions. Instances must minimally implement
+-- 'getSession' and 'setSession'. By default, the secret session key is taken
+-- from the environment variable \"SESSION_KEY\", or a default dummy key is
+-- used if the environment variable \"ENV\" is set to \"development\". You can
+-- override this behaviour by implementing the 'sessionKey' method.
+-- If the controller state contains a dedicated field of type 'Maybe Session',
+-- a reasonable implementation would be:
+--
+-- > data MyAppSettings = MyAppSettings { myAppSess :: Maybe Session, ...}
+-- >
+-- > instance HasSession MyAppSettings where
+-- >    getSession = myAppSess <$> controllerState
+-- >    setSession sess = do
+-- >      cs <- controllerState
+-- >      putState $ cs { myAppSess = sess }
+--
+class HasSession hs where
+  -- | Returns the secret session key. The default implementation uses the
+  -- \"SESSION_KEY\" environment variable. If it is not present, and the
+  -- \"ENV\" environment variable is set to \"development\", a dummy, hardcoded
+  -- key is used.
+  sessionKey :: Controller hs S.ByteString
+  sessionKey = liftIO $ do
+    env <- getEnvironment
+    case lookup "SESSION_KEY" env of
+      Just key -> return $ S8.pack key
+      Nothing ->
+        case lookup "ENV" env of
+          Just e | e == "development" -> return "test-session-key"
+          _ -> (error "SESSION_KEY environment variable not set")
+
+  -- | Returns the cached session for the current request, or nothing if the
+  -- session has not been set yet for this request. 
+  getSession :: hs -> Maybe Session
+
+  -- | Stores a parsed or changed session for the remainder of the request.This
+  -- is used both for cached a parsed session cookie as well as for serializing
+  -- to the \"Set-Cookie\" header when responding.
+  setSession :: Session -> Controller hs ()
+
+-- | A trivial implementation if the 'Controller' settings is just a Session
+-- store.
+instance HasSession (Maybe Session) where
+  getSession = id
+  setSession = putState . Just
+
+-- | A middleware wrapper around a 'Controller' that sets the \"Set-Cookie\"
+-- header in the HTTP response if the Session is present, i.e. if it was
+-- accessed/modified by the 'Controller'.
+withSession :: HasSession hs => Controller hs a -> Controller hs a
+withSession (Controller act) = do
+  sk <- sessionKey
+  Controller $ \st0 -> do
+    (eres, st@(r, _)) <- act st0
+    case eres of
+      Left resp0 -> do
+        let resp = case getSession r of
+                     Just sess -> addCookie
+                                   ("session", dumpSession sk sess)
+                                   resp0
+                     Nothing -> resp0
+        return (Left resp, st)
+      Right _ -> return (eres, st)
+
+-- | Adds a \"Set-Cookie\" with the given key-value tuple to the 'Response'.
+-- The path set on the cookie is \"/\", meaning it applies to all routes on the
+-- domain, and no expiration is set.
+addCookie :: (S.ByteString, S.ByteString) -> Response -> Response
+addCookie (key, value) resp =
+  let (stat, hdrs, src) = responseSource resp
+  in ResponseSource stat (("Set-Cookie", cookie):hdrs) src
+  where cookie = toByteString . renderSetCookie $
+                  def { setCookieName = key
+                      , setCookieValue = value
+                      , setCookiePath = Just "/" }
+
+-- | Returns the current 'Session', either from the 'getSession' cache or by
+-- parsing the cookie from the 'Request' using 'sessionFromCookie'.
+session :: HasSession hs => Controller hs Session
+session = do
+  msession <- getSession `fmap` controllerState
+  case msession of
+    Just sess -> return sess
+    Nothing -> do
+      sess <- sessionFromCookie
+      setSession =<< sessionFromCookie
+      return sess
+
+-- | Get and parse a 'Session' from the current 'Request'.
+sessionFromCookie :: HasSession hs => Controller hs Session
+sessionFromCookie = do
+  cookies <- (maybe [] parseCookies) `fmap` requestHeader hCookie
+  sess <- case lookup "session" cookies of
+            Just sessionCookie -> do
+              sk <- sessionKey
+              return $ parseSession sk sessionCookie
+            Nothing -> return M.empty
+  return sess
+
+-- | Parses and validates a serialized 'Session' given the secret. If the
+-- 'Session' is invalid (i.e. the hmac does not match), an empty 'Session' is
+-- returned.
+parseSession :: S.ByteString -> S.ByteString -> Session
+parseSession secret sessionCookie =
+  let (b64, serial) = S.splitAt 44 sessionCookie
+      mdigest = digestFromByteString $ either (const S.empty) id $ decode b64
+  in case mdigest of
+       Nothing -> M.empty
+       Just digest ->
+         if hmacGetDigest (hmacAlg SHA256 secret serial) == digest then
+           M.fromList $ parseSimpleQuery serial
+           else M.empty
+
+-- | Serializes a 'Session' by applying a sha256 hmac with the given secret
+-- key to the serialized 'Session' (using 'renderSimpleQuery'), base64 encoding
+-- the result, and prepending it to the serialized 'Session'.
+dumpSession :: S.ByteString -> Session -> S.ByteString
+dumpSession secret sess =
+  let serial = renderSimpleQuery False $ M.toList sess
+      digest = hmacGetDigest $ hmacAlg SHA256 secret serial
+      b64 = encode $ toBytes digest
+  in b64 `S.append` serial
+
+-- | Lookup a key from the current 'Request's session.
+sessionLookup :: HasSession hs
+              => S.ByteString -> Controller hs (Maybe S.ByteString)
+sessionLookup key = M.lookup key `fmap` session
+
+-- | Insert or replace a key in the current 'Request's session.
+sessionInsert :: HasSession hs
+              => S.ByteString -> S.ByteString -> Controller hs ()
+sessionInsert key value = do
+  sess <- session
+  setSession (M.insert key value sess)
+
+-- | Remove a key from the current 'Request's session.
+sessionDelete :: HasSession hs => S.ByteString -> Controller hs ()
+sessionDelete key = do
+  sess <- session
+  setSession $ M.delete key sess
+
+-- | Clear the entire 'Session'.
+sessionClear :: HasSession hs => Controller hs ()
+sessionClear = setSession M.empty
+
