Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ktor server invalidate session #4727

Open
Vivecstel opened this issue Mar 6, 2025 · 7 comments
Open

Ktor server invalidate session #4727

Vivecstel opened this issue Mar 6, 2025 · 7 comments

Comments

@Vivecstel
Copy link

Is it possible to invalidate all the other session for a user when he/she creates a new session ?
The use case is like this:
e.g. the user logins in one device (mobile or web) and a new session is created from server.
Then the same user logins from another device (mobile or web) and creates a new session. The session from the old device needs to be invalidated and only the session from the new device should be active.
| searched the sessions plugin and authentication/session but now sure if this is possible right now.
@Stexxe
Copy link
Contributor

Stexxe commented Mar 6, 2025

The Sessions plugin allows clearing a session instance of the specified type. For more information, please read the documentation.

Have you experienced any problems while implementing the solution?

@Vivecstel
Copy link
Author

Vivecstel commented Mar 6, 2025
edited
Loading

The Sessions plugin allows clearing a session instance of the specified type. For more information, please read the documentation.

Have you experienced any problems while implementing the solution?

Yes, I have read the current documentation but "clear" doesn't cover the above use case.

When you need to clear a session for any reason (for example, when a user logs out), call the clear function:

get("/logout") {
    call.sessions.clear<UserSession>()
    call.respondRedirect("/user")
}

As I understand, "clear" removes the current session for the user (e.g. with this specific session id). How can I clear the other old sessions for this user before starting a new one.

@Stexxe
Copy link
Contributor

Stexxe commented Mar 7, 2025

Can you please tell me how you determine if the same user sends requests from the multiple devices?

@Stexxe
Copy link
Contributor

Stexxe commented Mar 7, 2025

Unfortunately, it is impossible to invalidate the user's other sessions. The main reason is that Ktor doesn't provide control over how to generate the session ID based on the cookie's or the header's content. If it did, you could send the client ID, which is the same across all user's devices, along with the device ID, and on the server using the Sessions plugin, save the device ID with the client ID as a key. If the session data existed, you could check the stored device ID and invalidate the session if the identifiers don't match.

Should I file a feature request to address this limitation?

@Vivecstel
Copy link
Author

Can you please tell me how you determine if the same user sends requests from the multiple devices?

For example, I use
call.sessions.set(value = userSession) and the user session class includes the userId which is unique for this user.

Unfortunately, it is impossible to invalidate the user's other sessions. The main reason is that Ktor doesn't provide control over how to generate the session ID based on the cookie's or the header's content. If it did, you could send the client ID, which is the same across all user's devices, along with the device ID, and on the server using the Sessions plugin, save the device ID with the client ID as a key. If the session data existed, you could check the stored device ID and invalidate the session if the identifiers don't match.

Preferably, I would like to determine with some custom predicate all other sessions using my user session class (for my case all sessions associated with the userId) before setting a new one and clear them.

Should I file a feature request to address this limitation?

Yes if possible. Thanks

@Stexxe
Copy link
Contributor

Stexxe commented Mar 7, 2025

For example, I use
call.sessions.set(value = userSession) and the user session class includes the userId which is unique for this user.

This approach requires traversing all session storage to find the sessions of the same user, which is inefficient. I thought of using the user ID as a key for the faster lookup. What do you think?

@Vivecstel
Copy link
Author

For example, I use
call.sessions.set(value = userSession) and the user session class includes the userId which is unique for this user.

This approach requires traversing all session storage to find the sessions of the same user, which is inefficient. I thought of using the user ID as a key for the faster lookup. What do you think?

Not sure if i want to expose the userid in the session id. But if you can provide control how to generate session id with e.g. the user session object I can somehow associate the generated session IDs with userid. Also, in clear you may need to provide new function to handle session id(s) as an argument.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Vivecstel @Stexxe