|
|
|
|
|
|
by jruthers
1866 days ago
|
|
|
Would you be able to expand on scoped sessions, invalidated subsets, delegated sessions? Our roadmap has a big emphasis on improved session management and these are ideas we haven't considered and I'm keen to understand more. |
|
|
You might want to invalidate sessions from a particular device, IP, or time period. Or, if you detect a user is compromised, terminate all sessions on their behalf.
You might want API and web sessions to have different properties, such as duration. Or limit access to certain endpoints based on device type.
You might have a mechanism to turn one session type into another so that your app can open a browser and have the user already logged in.
If your model has a superuser that has oversight into a lot of account-like views, you might want the ability to constrain it to a subset of permissions while handing it off to something else, especially if those sessions are longer lived. Or give it a subordinate view.
You might want to assign confidence intervals to sessions based on heuristics and ask for a second factor for operations that require a given score.
There's a lot you can do.