Skip to content

Session Management

Amit Das edited this page Apr 28, 2026 · 1 revision

📱 Session Management

This page explains how session management works inside SecureAuth.

SecureAuth includes advanced multi-device session management for secure account access and active session monitoring.


🔐 Session Management Overview

SecureAuth session management provides:

  • Multi-device login support
  • Active session tracking
  • Remote session revocation
  • Device monitoring
  • Secure session validation

🚀 How Sessions Work

After successful authentication:

  1. JWT token is generated
  2. Session is created securely
  3. Device information is stored
  4. Session linked to authenticated user
  5. Secure cookie created
  6. Protected access granted

📲 Multi-Device Sessions

SecureAuth allows users to stay logged in across multiple devices.

Supported devices:

  • Desktop browsers
  • Mobile browsers
  • PWA installations

🖥 Device Tracking

Each session stores device-related information.

Examples:

  • Browser information
  • Login timestamp
  • Device activity
  • Session identifier

🔒 Session Security

Sessions are protected using multiple security layers.

Includes:

  • JWT validation
  • Session expiration checks
  • Secure cookie storage
  • Device verification

🍪 Secure Cookie Sessions

SecureAuth stores authentication tokens using HTTP-only cookies.

Benefits:

  • Prevents JavaScript access
  • Reduces XSS risks
  • Improves session security

📊 Active Session Monitoring

Users can view active sessions.

Features:

  • Current device detection
  • Login activity monitoring
  • Session status tracking

🔄 Session Revocation

Users can revoke sessions remotely.

Useful for:

  • Lost devices
  • Unauthorized access
  • Security incidents

Revoke Single Session

Request:

DELETE /api/auth/sessions/:sessionId

Revoke All Other Sessions

Request:

DELETE /api/auth/sessions/others

📡 Session API Endpoints


Get Active Sessions

GET /api/auth/sessions

Revoke Specific Session

DELETE /api/auth/sessions/:sessionId

Revoke Other Sessions

DELETE /api/auth/sessions/others

🔍 Current Device Detection

SecureAuth can identify the current active device session.

Benefits:

  • Easier session management
  • Better security awareness

⏳ Session Expiration

Sessions may expire automatically after inactivity or token expiration.

Benefits:

  • Reduces unauthorized access risks
  • Improves security protection

🚨 Suspicious Session Handling

If suspicious activity is detected:

  • Revoke sessions immediately
  • Re-authenticate users
  • Rotate credentials if necessary

🛡️ Security Protections

Session management security includes:

  • Secure JWT validation
  • Device verification
  • Session expiration checks
  • Protected API access

🔐 Session Lifecycle

User Login
  ↓
OTP Verification
  ↓
JWT Token Created
  ↓
Session Stored
  ↓
Secure Cookie Created
  ↓
Protected Access Granted
  ↓
Session Monitoring
  ↓
Session Expiration or Revocation

⚠️ Important Notes

Logging Out

Logging out removes the active session.


Changing JWT_SECRET

Changing JWT_SECRET invalidates all sessions.


Session Revocation

Revoked sessions immediately lose access to protected routes.


🛠 Common Issues

Session Expired

Example response:

{
  "error": "Session expired"
}

Solution:

  • Login again

Invalid Session

Example response:

{
  "error": "Invalid session"
}

Solution:

  • Clear cookies
  • Login again

🔒 Best Practices

For improved session security:

  • Revoke unused sessions
  • Use HTTPS only
  • Monitor login activity
  • Avoid shared devices

✅ Next Steps

Continue with:


Secure • Fast • Modern ⚡

Clone this wiki locally