Tagged: #sessionquota #sessions
March 12, 2020 at 4:24 pm #27736ranjitParticipant
My mobile app has gotten 3 tokens (id, access and refresh) from FR after authenticating with FR through web-view opened from mobile-app with the help of AppAuth library.
This resulted into server-side session in FR whose expiry time is 120 min.
Once 120 min. are elapsed my understanding is FR does not have any information about this session.
However, my mobile app will still keep working and keep getting new access-tokens by exchanging refresh tokens without any problem as long as those tokens are not expired. All tokens are CTS-based (i.e., server-side)
If I am correct so far then I have one question.
If I have configured the session limit of 1 session per user, then is it fair to say that after 120 min. (when the session expires) I am free to open the same mobile app from another phone and sign-into using the SAME ID ?
Basically, now user can work from 2 phones.
Thanks.March 26, 2020 at 8:30 pm #27758Jatinder SinghParticipant
Yes, after 120 mins the user would be able to sign-in using the same user id on a different device. That said, the same user can still login from a different device within the 120 mins window – but in that case a new session will be created destroying the old session. There are different configurations available for the session quota feature.
Deny Access. New session creation requests will be denied.
Destroy Next Expiring. The session that would expire next will be destroyed.
Destroy Oldest. The oldest session will be destroyed.
Destroy All. All previous sessions will be destroyed.
You must be logged in to reply to this topic.