Overview
src/session/session.service.ts allows unlimited concurrent sessions per user. An attacker with a stolen credential can maintain parallel sessions indefinitely without the legitimate user being notified or existing sessions being invalidated.
Specifications
Features:
- Limit concurrent active sessions per user to a configurable maximum (default 5).
- Evict the oldest session when the limit is exceeded (LRU policy).
Tasks:
- Track user sessions in a Redis Sorted Set keyed by
user:sessions:{userId}, scored by createdAt.
- In
createSession(), after saving the new session, trim the sorted set to the max size and delete evicted sessions.
- Read
MAX_SESSIONS_PER_USER from ConfigService (default 5).
- Add unit tests for eviction behavior.
Impacted Files:
src/session/session.service.ts
Acceptance Criteria
- Creating session N+1 evicts the oldest session.
- Evicted session cannot be used for authentication.
- Max session count is configurable without code changes.
Overview
src/session/session.service.tsallows unlimited concurrent sessions per user. An attacker with a stolen credential can maintain parallel sessions indefinitely without the legitimate user being notified or existing sessions being invalidated.Specifications
Features:
Tasks:
user:sessions:{userId}, scored bycreatedAt.createSession(), after saving the new session, trim the sorted set to the max size and delete evicted sessions.MAX_SESSIONS_PER_USERfromConfigService(default 5).Impacted Files:
src/session/session.service.tsAcceptance Criteria