Security and Privacy/Additional Security Features

Single Active Session

Utilizing Descope's SDK login options, you can force users only to have a single active session across devices. This ensures that all previous sessions are logged out automatically when a user logs in on a new device.

This feature is essential for businesses prioritizing data consistency, security, and user experience. Common use cases include:

  • Streaming Services: Maintain watch history, play positions, and prevent account misuse.
  • Ride-sharing apps: Ensure seamless order tracking and prevent duplicate bookings.
  • Finance Apps: Guarantee secure and frictionless account access across devices.

This guide will walk you through implementing this feature using both backend and mobile SDKs.

Implementing A Single Session

Follow the instructions below to implement the single valid session across devices.

Using Backend SDK

Utilizing the loginOptions object in the SDKs, you can pass a variable that will revoke all previous sessions.

const loginId = "email@company.com"
const uri = "http://auth.company.com/api/verify_magiclink"
const deliveryMethod = "email"
//    loginOptions (LoginOptions): this is where setting "RevokeOtherSessions" takes place.
const loginOptions = {
      "RevokeOtherSessions": true  // This ensures previous sessions are revoked
    }
 
const resp = await descopeClient.magicLink.signIn[deliveryMethod](loginId, uri, loginOptions);
if (!resp.ok) {
  console.log("Failed to initialize signin flow")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully initialized signin flow")
}

Using Mobile SDK

Utilizing the loginOptions object in the SDKs, you can pass a variable that will revoke all previous sessions.

let deliveryMethod = DeliveryMethod.email
let loginId = "email@company.com"
let uri = "http://auth.company.com/api/verify_magiclink"
 
guard let session = Descope.sessionManager.session else { return }
var signInOptions: [SignInOptions] = [
    //     signInOptions (SignInOptions): this is where setting "revokeOtherSessions" takes place.
    .revokeOtherSessions: true
]
 
do {
  try await Descope.magicLink.signIn(with: deliveryMethod, loginId: loginId, uri: uri, options: signInOptions)
  print("Successfully initiated Magic Link Sign In")
} catch {
  print("Failed to initiate Magic Link Sign In")
  print(error)
}

Conclusion

Implementing a single active session ensures a secure and seamless user experience, especially in industries where real-time data synchronization and account security are critical. With Descope, you can:

  • Prevent Unauthorized Access: Stop multiple sessions from being active simultaneously.
  • Enhance User Experience: Ensure real-time updates and synchronization across devices.
  • Boost Security: Reduce the risk of account misuse or session hijacking.

Integrating this feature improves user engagement, trust, and satisfaction in your app.

Was this helpful?

Refresh Token Rotation

A guide and overview of how refresh token rotation works with Descope and how it secures your sessions.

Common Errors

This article covers the common errors that that Descope can return.

On this page