tolgee-platform icon indicating copy to clipboard operation
tolgee-platform copied to clipboard
verified publisher icon tolgee

Session Management — View & Revoke Active Logins

Open Anty0 opened this issue 1 month ago • 0 comments

1. Problem

What is the core problem we are trying to solve? Why does this matter?

Currently, authentication uses stateless JWTs that include creation and expiry timestamps. It is possible to revoke all tokens created before a specific time, but it isn't possible to revoke them selectively. This means it isn't possible to invalidate an individual session.

We don't track sessions server-side, so we can't display active sessions to the user or provide meaningful visibility into account activity.

2. Appetite

How much time do we want to spend on this?

2-3 weeks

3. Solution

How do we imagine solving this problem?

We will introduce server-side session tracking for all JWT-based logins. Each session will have its own database record (cached in Redis for performance), storing metadata such as creation time, last used time, and user-agent information. Each issued JWT will be tied to a specific session ID, enabling selective revocation.

The user-facing settings page will display a list of active sessions (e.g., devices/browsers), allowing users to:

  • View session details (e.g., creation time, last used time, user agent),
  • Revoke individual sessions,
  • Optionally, revoke all sessions at once.

All session creation and revocation events will be logged in the existing "activity" system to make user activity more transparent to admins.

4. Basic Drawings

What rough sketches or wireframes illustrate the concept?

TODO

5. Rabbit Holes

What are the potential complexities, unknowns, or risky areas?

  • Avoiding adding significant overhead.
  • Defining how "last used" is updated.
  • Handling backward compatibility for existing JWTs that lack a session ID. (Or do we force everyone to re-login?)

6. No-Goes

What explicitly falls outside the scope of this pitch?

  • Admin-side session management (viewing or revoking sessions for other users).
  • Advanced device fingerprinting or detailed geolocation-limiting sessions such that they can only be used on the device for which the session was created.

7. Success Criteria

How will we measure success?

  • Users can view and revoke their active sessions from the settings screen.
  • Session creation and revocation events are logged in the activity system.
  • The performance of authentication remains reasonable.

Anty0 avatar Nov 10 '25 17:11 Anty0