Anytime there’s a successful authentication (login) for a user, a login token is created. This also marks the beginning of an authenticated session for that user.
Traditionally, sessions have been somewhat opaque. They have a start and maybe an inactivity timeout. How many exist, for whom, and other characteristics are usually unknown.
AuthRocket supports both this simple, open-ended model of sessions as well as a much more powerful model that adds maximum session lengths, guaranteed logouts, visibility to open sessions, and more.
We refer to the simple, open-ended sessions as unmanaged
and the more powerful ones as managed
.
Unmanaged sessions have some features, but some limitations. AuthRocket’s approach even to unmanaged sessions offers enhanced security over simplistic traditional solutions.
Like any session, unmanaged sessions are initiated by a successful authentication which creates a login token. That login token is passed to your app for validation.
Since AuthRocket’s login tokens are JWT compatible, AuthRocket will still optionally add an expiration time to the token which will guarantee an end-time to the session. It’s also possible to exclude the expiration time, making the sessions open ended, which is useful for some apps.
Managed sessions start off just like unmanaged sessions. However, AuthRocket also keeps track of the session. This adds three significant benefits:
human
vs api
UsersOnly human users may have managed sessions. Authentication to your Realm using API keys will always create unmanaged sessions.
Managed vs unmanaged is configured on a per-Realm basis as part of the Realm’s settings (see session_type
).
For human users, the maximum session length is configurable via session_minutes
.
For managed sessions, it may range from 1 minute to 1 year.
For unmanaged sessions, the maximum session time may range from 1 minute to 2 years or may be disabled entirely (open-ended sessions).
For API keys, session length is set using api_key_minutes
.
Since API keys logins are always unmanaged, their maximum session time is 1 minute to 2 years or disabled (open-ended sessions).
Managed sessions must periodically be revalidated with AuthRocket to ensure they haven’t been terminated. For lower-traffic apps, it may be appropriate to simply validate with AuthRocket every time.
For higher-traffic apps, or where latency times are critical, a simple cache of the validation state is appropriate. Consider revalidating with AuthRocket every 5-15 minutes, or whatever period makes the most sense for your app.
Users may have a maximum of 10 active managed sessions at one time. When a new session is created that would exceed this, the oldest session is automatically deleted so that the new session can be created.
Questions? Find a Typo? Get in touch.