Skip to content

Rework sessions #2104

New issue
New issue
Open
Improvement
Open
Rework sessions#2104
Improvement
Assignees
darthmaim
Labels
enhancementNew feature or request
@darthmaim

Description

@darthmaim
darthmaim
opened on Dec 12, 2025

Currently we are not just reading the session from the db on every request, but even writing a last used timestamp. That is slow...

Instead we should a short lived JWT that holds all the user info we need, so we don't need to hit the db at all on most requests. If the JWT is invalid/expired, we will use the session id and generate a new one + write last used. Each JWT should be bound to an IP or a device with DBSC (#1611).

When the user revokes all sessions, we write a timestamp to the user and only accept JWTs that were created after that timestamp. To avoid having to read the db for this again on every request, we can cache this. We just have to make sure to invalidate the cache on all app instances when sessions are revoked.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Improvement

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions