Session management
Sessions will be referenced by long-lived cookies (e.g. 30 days) that get refreshed on use. The session data itself will be stored in a Session table. The currently planned data includes:
| Column | Type | Description |
|---|---|---|
| id | UUID | Session ID |
| secret | str | Rotated session cookie secret |
| user_id | FK | The user this session is for |
| created | DateTime | When the session was first created |
| last_active | DateTime | When the session was last used |
| last_email_auth | Optional[DateTime] | When an email authentication was performed |
| last_keyfob_auth | Optional[DateTime] | When a keyfob authentication was performed |
| last_totp_auth | Optional[DateTime] | When a TOTP authentication was performed |
| last_passkey_auth | Optional[DateTime] | When a passkey authentication was performed |
Authentication Level
The session's current authentication level will be calculated based on the fields in the Session table. The exact rules are still to be determined, however they will fit into the following levels:
- Plastic. The lowest authentication level when using a keyfob login.
- Bronze. Sessions that haven't authenticated in a while.
- Silver. Sessions that authenticated recently but didn't use 2fa.
- Gold. Sessions that authenticated recently with 2fa.
In OpenID terminology this is called the ACR.