-
Notifications
You must be signed in to change notification settings - Fork 940
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server side sessions #1673
Merged
Merged
Server side sessions #1673
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lfleischmann
requested changes
Oct 14, 2024
frontend/elements/src/components/accordion/ListSessionsAccordion.tsx
Outdated
Show resolved
Hide resolved
lfleischmann
requested changes
Oct 14, 2024
lfleischmann
approved these changes
Oct 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds server side sessions. Currently the sessions are only a JWT which does not allow to revoke any session before the JWT expiration time is over. This PR adds a
session_id
to each JWT and stores them in the database, when server side sessions are enabled. Only when a thesession_id
from a JWT is found in the database a session is valid.Now a service that uses Hanko must use the new session check endpoint in the admin API in order to know if the session is valid or revoked. This session check endpoint can also be used when server side sessions are disabled, then it only verifies that the signature and expiration time of JWT are valid.
When server side sessions are enabled the profile shows a list of active sessions which the user can revoke, except for the current one.
Implementation
New config options are added to enabled sever side sessions and also to limit the active session a user can have. Each JWT gets a new parameter
session_id
which is stored in the database along with the userAgent and the ip address. It is also stored when the session was last used and is updated every time the profile flow or the session check endpoint from the admin API is used.When a user already has a non server side session and server side sessions are enabled, that session is not valid anymore as the
session_id
is only stored when server side sessions are enabled.Tests
Enable server side sessions and login on different browsers. Try to revoke sessions from other browsers and check that you are not logged in anymore.
Todos