Session management

Sessions will be referenced by long-lived cookies (e.g. 30 days) that get refreshed on use. The session data itself will be stored in a Session table. The currently planned data includes:

Column Type Description
id UUID Session ID
secret str Rotated session cookie secret
user_id FK The user this session is for
created DateTime When the session was first created
last_active DateTime When the session was last used
last_email_auth Optional[DateTime] When an email authentication was performed
last_keyfob_auth Optional[DateTime] When a keyfob authentication was performed
last_totp_auth Optional[DateTime] When a TOTP authentication was performed
last_passkey_auth Optional[DateTime] When a passkey authentication was performed

Authentication Level

The session's current authentication level will be calculated based on the fields in the Session table. The exact rules are still to be determined, however they will fit into the following levels:

  1. Plastic. The lowest authentication level when using a keyfob login.
  2. Bronze. Sessions that haven't authenticated in a while.
  3. Silver. Sessions that authenticated recently but didn't use 2fa.
  4. Gold. Sessions that authenticated recently with 2fa.

In OpenID terminology this is called the ACR.