Documentation for Single Session Feature¶ ↑
The single session feature stores the key for the session in a database table whenever a user logs in to the system. In your routing block, you can check that the session key given matches the stored key by doing:
It is not recommended to use this feature unless you have a policy that requires it. Many users find it useful to be able to have multiple concurrent sessions, and restricting this ability does not make things more secure. You can use the active_sessions feature for something with similar behavior but that allows for concurrent sessions.
One of the side benefits with this feature is that logouts reset the single session key, so attempts to reuse the previous session after logout no longer work.
Auth Value Methods¶ ↑
Whether to allow a raw single session key to be accepted, should only be enabled for graceful transition when
The error status to use when a JSON request is made and the session is no longer active, 401 by default.
The flash error to display if the current session is no longer the active session for the account.
The column in the
The column in the
Where to redirect if the current session is no longer the active session for the account.
The session key name to use for storing the single session key.
The database table storing single session keys.
Auth Methods¶ ↑
Whether the current session is the active session for the user.
The action to take if the current session is no longer the active session for the user.
Reset the single session key for the user, by default to a new random key.
Update the single session key in the current session and in the database, reflecting that the current session is the active session for the user.