Ktor server invalidate session

[Vivecstel]

Is it possible to invalidate all the other session for a user when he/she creates a new session ?
The use case is like this:
e.g. the user logins in one device (mobile or web) and a new session is created from server.
Then the same user logins from another device (mobile or web) and creates a new session. The session from the old device needs to be invalidated and only the session from the new device should be active.
| searched the sessions plugin and authentication/session but now sure if this is possible right now.

[Stexxe]

The Sessions plugin allows clearing a session instance of the specified type. For more information, please read the documentation.

Have you experienced any problems while implementing the solution?

[Vivecstel]

The Sessions plugin allows clearing a session instance of the specified type. For more information, please read the documentation.

Have you experienced any problems while implementing the solution?

Yes, I have read the current documentation but "clear" doesn't cover the above use case.

When you need to clear a session for any reason (for example, when a user logs out), call the clear function:

get("/logout") {
    call.sessions.clear<UserSession>()
    call.respondRedirect("/user")
}

As I understand, "clear" removes the current session for the user (e.g. with this specific session id). How can I clear the other old sessions for this user before starting a new one.

[Stexxe]

Can you please tell me how you determine if the same user sends requests from the multiple devices?

[Stexxe]

Unfortunately, it is impossible to invalidate the user's other sessions. The main reason is that Ktor doesn't provide control over how to generate the session ID based on the cookie's or the header's content. If it did, you could send the client ID, which is the same across all user's devices, along with the device ID, and on the server using the Sessions plugin, save the device ID with the client ID as a key. If the session data existed, you could check the stored device ID and invalidate the session if the identifiers don't match.

Should I file a feature request to address this limitation?

[Vivecstel]

Can you please tell me how you determine if the same user sends requests from the multiple devices?

For example, I use
call.sessions.set(value = userSession) and the user session class includes the userId which is unique for this user.

Unfortunately, it is impossible to invalidate the user's other sessions. The main reason is that Ktor doesn't provide control over how to generate the session ID based on the cookie's or the header's content. If it did, you could send the client ID, which is the same across all user's devices, along with the device ID, and on the server using the Sessions plugin, save the device ID with the client ID as a key. If the session data existed, you could check the stored device ID and invalidate the session if the identifiers don't match.

Preferably, I would like to determine with some custom predicate all other sessions using my user session class (for my case all sessions associated with the userId) before setting a new one and clear them.

Should I file a feature request to address this limitation?

Yes if possible. Thanks

[Stexxe]

For example, I use
call.sessions.set(value = userSession) and the user session class includes the userId which is unique for this user.

This approach requires traversing all session storage to find the sessions of the same user, which is inefficient. I thought of using the user ID as a key for the faster lookup. What do you think?

[Vivecstel]

For example, I use
call.sessions.set(value = userSession) and the user session class includes the userId which is unique for this user.

This approach requires traversing all session storage to find the sessions of the same user, which is inefficient. I thought of using the user ID as a key for the faster lookup. What do you think?

Not sure if i want to expose the userid in the session id. But if you can provide control how to generate session id with e.g. the user session object I can somehow associate the generated session IDs with userid. Also, in clear you may need to provide new function to handle session id(s) as an argument.

[Stexxe]

I've filed a feature request.