Sessions

Anytime there’s a successful authentication (login) for a user, a login token is created. This also marks the beginning of an authenticated session for that user.

Traditionally, sessions have been somewhat opaque. They have a start and maybe an inactivity timeout. How many exist, for whom, and other characteristics are usually unknown.

AuthRocket supports both this simple, open-ended model of sessions as well as a much more powerful model that adds maximum session lengths, guaranteed logouts, visibility to open sessions, and more.

We refer to the simple, open-ended sessions as unmanaged and the more powerful ones as managed.

Unmanaged sessions

Unmanaged sessions have some features, but some limitations. AuthRocket’s approach even to unmanaged sessions offers enhanced security over simplistic traditional solutions.

Like any session, unmanaged sessions are initiated by a successful authentication which creates a login token. That login token is passed to your app for validation.

Since AuthRocket’s login tokens are JWT compatible, AuthRocket will still optionally add an expiration time to the token which will guarantee an end-time to the session. It’s also possible to exclude the expiration time, making the sessions open ended, which is useful for some apps.

Managed sessions

Managed sessions start off just like unmanaged sessions. However, AuthRocket also keeps track of the session. This adds three significant benefits:

1. A list of all current sessions can be viewed, providing visibility to when and where each session was established.
2. When a session is logged out prior to expiration, the session is definitely marked as terminated and cannot be duplicated on another client device.
3. Terminating a session can be done not only by the session itself, but by an administrator or another session controlled by that same user. This greatly enhances security and control over sessions.

human vs api Users

Only human users may have managed sessions. Authentication to your Realm using API keys will always create unmanaged sessions.

Configuration

Managed vs unmanaged is configured on a per-Realm basis as part of the Realm’s settings (see session_type).

For human users, the maximum session length is configurable via session_minutes.

For managed sessions, it may range from 1 minute to 1 year.

For unmanaged sessions, the maximum session time may range from 1 minute to 2 years or may be disabled entirely (open-ended sessions).

For API keys, session length is set using api_key_minutes.

Since API keys logins are always unmanaged, their maximum session time is 1 minute to 2 years or disabled (open-ended sessions).

Practical considerations for managed sessions

Managed sessions must periodically be revalidated with AuthRocket to ensure they haven’t been terminated. For lower-traffic apps, it may be appropriate to simply validate with AuthRocket every time.

For higher-traffic apps, or where latency times are critical, a simple cache of the validation state is appropriate. Consider revalidating with AuthRocket every 5-15 minutes, or whatever period makes the most sense for your app.

Users may have a maximum of 10 active managed sessions at one time. When a new session is created that would exceed this, the oldest session is automatically deleted so that the new session can be created.