Restoring, renewing and invalidating Sessions

Hello! I’m trying to implement the following login flow for a web game: the player is able to join as a guest account if they never played before, but can authenticate and login with a non-guest account by using an e-mail and password, and then that session can persist for a certain amount of time or until the player logs out or starts a session on another device. Ideally, the player shouldn’t be asked to input their credentials all the time, so restoring their session (if it wasn’t expired) seemed the most logical step to take.

Then, the problems and a few questions:

  • After digging a bit, I found out that you can restore sessions from a string, which worked fine until I encountered an extremely weird bug where two distinct sessions were accessed from another, completely unrelated testing machine, which was catastrophical - imagine random strangers getting access to your account. How could this happen if the tokens are only being saved locally?
  • Restoring sessions do not invalidate the previous ones, so players can play against themselves if they open a second tab. Is it possible to invalidate the previous session upon authentication so that won’t happen?
  • What is the correct pattern to use to obtain the desired flow that I’ve described before? Should I use sessions and manipulate the tokens or should I use another method? What method?

@luizsan You should use session refresh to allow user sessions to be extended without prompting the user to authenticate again. This is exactly what the refresh mechanic is intended for.

I encountered an extremely weird bug where two distinct sessions were accessed from another, completely unrelated testing machine, which was catastrophical - imagine random strangers getting access to your account

How would this happen without these “strangers” either knowing your account credentials (email+password etc) or getting access to the session token? The session token should never be shared with another device, only stored locally. Check your game flow.

Restoring sessions do not invalidate the previous ones, so players can play against themselves if they open a second tab. Is it possible to invalidate the previous session upon authentication so that won’t happen?

New sessions do not invalidate previous ones (unless you choose to logout the older session). This is an intentional design decision. If you want to ensure the user only plays from one device at a time, in one match at a time, you should set the session.single_match and session.single_socket confit options to be true. They will ensure if a user tries to connect a 2nd device the 1st one will be disconnected.

1 Like