Sessions will be referenced by long-lived cookies (e.g. 30 days) that get refreshed on use. The session data itself will be stored in a Session table. The currently planned data includes:
Column | Type | Description |
---|---|---|
id | UUID | Session ID |
secret | str | Rotated session cookie secret |
member_id | FK | The member this session is for |
created | DateTime | When the session was first created |
last_active | DateTime | When the session was last used |
last_email_auth | Optional[DateTime] | When an email authentication was performed |
last_keyfob_auth | Optional[DateTime] | When a keyfob authentication was performed |
last_totp_auth | Optional[DateTime] | When a TOTP authentication was performed |
last_passkey_auth | Optional[DateTime] | When a passkey authentication was performed |
The session's current authentication level will be calculated based on the fields in the Session table. The exact rules are still to be determined, however they will fit into the following levels:
In OpenID terminology this is called the ACR.