Security and Privacy/Additional Security Features

Single Active Session

Utilizing Descope's SDK login options, you can force users to have only a single active session across devices. This ensures that all previous sessions are logged out automatically when a user logs in on a new device.

This feature is essential for businesses prioritizing data consistency, security, and user experience. Common use cases include:

  • Streaming Services: Maintain watch history, play positions, and prevent account misuse.
  • Ride-sharing apps: Ensure seamless order tracking and prevent duplicate bookings.
  • Finance Apps: Guarantee secure and frictionless account access across devices.

This guide will walk you through implementing this feature using both backend and mobile SDKs.

Implementing A Single Session

Follow the instructions below to implement the single valid session across devices.

Using Backend SDK

Utilizing the loginOptions object in the SDKs, you can pass a variable that will revoke all previous sessions.

const loginId = "email@company.com"
const uri = "http://auth.company.com/api/verify_magiclink"
const deliveryMethod = "email"
//    loginOptions (LoginOptions): this is where setting "RevokeOtherSessions" takes place.
const loginOptions = {
      "RevokeOtherSessions": true  // This ensures previous sessions are revoked
    }
 
const resp = await descopeClient.magicLink.signIn[deliveryMethod](loginId, uri, loginOptions);
if (!resp.ok) {
  console.log("Failed to initialize signin flow")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully initialized signin flow")
}

Using Mobile SDK

Utilizing the loginOptions object in the SDKs, you can pass a variable that will revoke all previous sessions.

let deliveryMethod = DeliveryMethod.email
let loginId = "email@company.com"
let uri = "http://auth.company.com/api/verify_magiclink"
 
guard let session = Descope.sessionManager.session else { return }
var signInOptions: [SignInOptions] = [
    //     signInOptions (SignInOptions): this is where setting "revokeOtherSessions" takes place.
    .revokeOtherSessions: true
]
 
do {
  try await Descope.magicLink.signIn(with: deliveryMethod, loginId: loginId, uri: uri, options: signInOptions)
  print("Successfully initiated Magic Link Sign In")
} catch {
  print("Failed to initiate Magic Link Sign In")
  print(error)
}

Session Type Support

When implementing the single active session feature, you can manage session revocation using a custom session "type", identified by the dtt claim.

A session "type" is simply a custom string you assign to a session—such as "Mobile" or "Web". This allows you to revoke sessions selectively based on their type. For example, when a user logs in on a new device, you might choose to revoke all existing sessions of type "Mobile" while leaving "Web" sessions intact.

To enable this, add the dtt claim to the session's custom claims. Then, during the sign-in process, you can specify the session types to revoke using the loginOptions.

This provides flexible control over session management by allowing you to tag and target sessions based on their assigned type.

Using Backend SDK

ctx := context.Background()
deliveryMethod := descope.MethodEmail
loginID := "email@company.com"
URI := "http://auth.company.com/api/verify_magiclink"
//     login options: this is where setting "RevokeOtherSessions" & "RevokeOtherSessionsTypes" takes place.
loginOptions := &descope.LoginOptions{
    RevokeOtherSessions: true,  // This ensures previous sessions are revoked
    CustomClaims: map[string]any{"dtt": "web"}, // This is where the dtt claim is supplied into the custom claims
    RevokeOtherSessionsTypes: []string{"mobile"} // Example of revoking "mobile" sessions
  }
 
err := descopeClient.Auth.MagicLink().SignIn(ctx, deliveryMethod, loginID, URI, r, loginOptions)
if (err != nil){
  fmt.Println("Failed to initialize signin flow: ", err)
} else {
  fmt.Println("Successfully initialized signin flow")
}

Conclusion

Implementing a single active session ensures a secure and seamless user experience, especially in industries where real-time data synchronization and account security are critical. With Descope, you can:

  • Prevent Unauthorized Access: Stop multiple sessions from being active simultaneously.
  • Enhance User Experience: Ensure real-time updates and synchronization across devices.
  • Boost Security: Reduce the risk of account misuse or session hijacking.

Integrating this feature improves user engagement, trust, and satisfaction in your app.

Was this helpful?

Refresh Token Rotation

A guide and overview of how refresh token rotation works with Descope and how it secures your sessions.

Common Errors

This article covers the common errors that that Descope can return.

On this page