byewokko
commented
1 year ago Concept
- Client-side session identifier (cookie or access token) is a JWToken rather than an opaque string.
- The token is signed and its claims contain the minimal data required for reconstructing a Seacat session.
- Claims
- Creation date
- Expiration date (required by JWT)
- Track ID
- Client ID (?)
- Scope (?)
Caveats
Extending expiration
The token is immutable once issued. To extend its validity we would need to issue a new one with the same track ID. For cookie token this means adding a Set-Cookie header in introspection response, which is fine since this mechanism is already in place. For access token this would require an active token refresh call, which is not supported in Seacat Auth yet.
To lower the number of sessions stored in the database, I want to introduce the concept of algorithmic sessions.
Algorithmic Session is not stored in the database, it can be however reconstructed from the session identification (Cookie, access token).
This is (currently) only for anonymous sessions.