Security and Privacy/Additional Security Features

Single Active Session

Utilizing Descope's SDK login options, you can force users only to have a single active session across devices. This ensures that all previous sessions are logged out automatically when a user logs in on a new device.

This feature is essential for businesses prioritizing data consistency, security, and user experience. Common use cases include:

  • Streaming Services: Maintain watch history, play positions, and prevent account misuse.
  • Ride-sharing apps: Ensure seamless order tracking and prevent duplicate bookings.
  • Finance Apps: Guarantee secure and frictionless account access across devices.

This guide will walk you through implementing this feature using both backend and mobile SDKs.

Implementing A Single Session

Follow the instructions below to implement the single valid session across devices.

Using Backend SDK

Utilizing the loginOptions object in the SDKs, you can pass a variable that will revoke all previous sessions.

const loginId = "email@company.com"
const uri = "http://auth.company.com/api/verify_magiclink"
const deliveryMethod = "email"
//    loginOptions (LoginOptions): this is where setting "RevokeOtherSessions" takes place.
const loginOptions = {
      "RevokeOtherSessions": true  // This ensures previous sessions are revoked
    }
 
const resp = await descopeClient.magicLink.signIn[deliveryMethod](loginId, uri, loginOptions);
if (!resp.ok) {
  console.log("Failed to initialize signin flow")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully initialized signin flow")
}

Using Mobile SDK

Utilizing the loginOptions object in the SDKs, you can pass a variable that will revoke all previous sessions.

let deliveryMethod = DeliveryMethod.email
let loginId = "email@company.com"
let uri = "http://auth.company.com/api/verify_magiclink"
 
guard let session = Descope.sessionManager.session else { return }
var signInOptions: [SignInOptions] = [
    //     signInOptions (SignInOptions): this is where setting "revokeOtherSessions" takes place.
    .revokeOtherSessions: true
]
 
do {
  try await Descope.magicLink.signIn(with: deliveryMethod, loginId: loginId, uri: uri, options: signInOptions)
  print("Successfully initiated Magic Link Sign In")
} catch {
  print("Failed to initiate Magic Link Sign In")
  print(error)
}

Conclusion

Implementing a single active session ensures a secure and seamless user experience, especially in industries where real-time data synchronization and account security are critical. With Descope, you can:

  • Prevent Unauthorized Access: Stop multiple sessions from being active simultaneously.
  • Enhance User Experience: Ensure real-time updates and synchronization across devices.
  • Boost Security: Reduce the risk of account misuse or session hijacking.

Integrating this feature improves user engagement, trust, and satisfaction in your app.

Was this helpful?

On this page