Session keys have an infinite lifetime by default. You are recommended to store the key securely. Users are able to revoke privileges for your application on their Last.fm settings screen, rendering session keys invalid.
These keys could be written to a simple text-file together with the related user name. No real DB is needed since it's currently the only data that has to be stored between server lifetimes.
A user will still have to provide the session token (received from the user after approving site usage on www.last.fm) but I can save a few API-calls by not generating a new session key.
The new init-flow should be:
Redirect user to last.fm.
User approves my app.
User is re-directed to site with token.
Server checks if the user already has a session key.
(Option 1) Server maps that session key to that user.
(Option 2 ) Server generates a session key for that user.
From last.fm:
These keys could be written to a simple text-file together with the related user name. No real DB is needed since it's currently the only data that has to be stored between server lifetimes.
A user will still have to provide the session token (received from the user after approving site usage on www.last.fm) but I can save a few API-calls by not generating a new session key.
The new init-flow should be: