Skip to content

Add configurable maximum concurrent sessions per user #849

Description

@RUKAYAT-CODER

Overview

src/session/session.service.ts allows unlimited concurrent sessions per user. An attacker with a stolen credential can maintain parallel sessions indefinitely without the legitimate user being notified or existing sessions being invalidated.

Specifications

Features:

  • Limit concurrent active sessions per user to a configurable maximum (default 5).
  • Evict the oldest session when the limit is exceeded (LRU policy).

Tasks:

  • Track user sessions in a Redis Sorted Set keyed by user:sessions:{userId}, scored by createdAt.
  • In createSession(), after saving the new session, trim the sorted set to the max size and delete evicted sessions.
  • Read MAX_SESSIONS_PER_USER from ConfigService (default 5).
  • Add unit tests for eviction behavior.

Impacted Files:

  • src/session/session.service.ts

Acceptance Criteria

  • Creating session N+1 evicts the oldest session.
  • Evicted session cannot be used for authentication.
  • Max session count is configurable without code changes.

Metadata

Metadata

Labels

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions