Limit user auth session

Is it possible to limit the totlall sessions of one user?

I have no idea what that means, the user can only have 1 session.

If you mean prevent them signing into multiple browsers to create multiple simultaneous User Sessions, that option isn’t built-in, you’d need to do something like handle the Validate() Session event to keep track of whether the User has an existing Session (e.g. by maintaining some global state) and return the appropriate error response if you want to prevent future logins, or remove the existing Session from the ICacheClient if you want to invalidate the previous session.

users can have a lot of session if set up like that:
authFeature.GenerateNewSessionCookiesOnAuthentication = false

and how can I get a list of all sessions of a particular user? I use redis as session cache, but there is no user information

The sessions are stored in an ICacheClient which is a key/value data store, you need to maintain any other additional state you want to be able to query, e.g. by maintaining some global state in the OnAuthenticated() or Validate() Session/Auth event as mentioned above.

The Inspecting persisted User Sessions shows an example of how you can query existing sessions:

var sessionPattern = IdUtils.CreateUrn<IAuthSession>(""); //= urn:iauthsession:
var sessionKeys = Cache.GetKeysStartingWith(sessionPattern).ToList();

var allSessions = Cache.GetAll<IAuthSession>(sessionKeys);

But this is very inefficient as it requires deserializing all existing sessions so you shouldn’t do this if you have a lot of users and maintain another global index to access any other info you want to query.

1 Like