Skip to content
Goiabada

User sessions

User sessions facilitate the single sign-on (SSO) functionality of Goiabada. Once a user logs in, a new session starts. If they try to log in again and their session is still good, they don’t need to go through the authentication process again.

Session configuration

Section titled “Session configuration”

There are two configurations related to user sessions:

PropertyDescription
User session idle timeout in secondsIf there is no activity from the user within this timeframe, the session will be terminated. This checks the last_accessed timestamp of the session.
User session max lifetime in secondsThe maximum duration a user session can last, irrespective of user activity. This is checked against the started timestamp of the session.

Session refresh

Section titled “Session refresh”

A user session is “bumped” (receives a new last_accessed timestamp) in two situations:

  1. When a new authorization request completes
  2. When a refresh token associated with the session is used to request a new access token

Forcing re-authentication

Section titled “Forcing re-authentication”

In your authorization request, you can include the max_age parameter. This allows you to define the maximum acceptable time (in seconds) since the session started.

For instance, if you add max_age=120 to the authentication request, the user needs to re-authenticate if their session started more than 120 seconds (2 minutes) ago, regardless of having a valid session or recent activity.

This is useful when the client needs to ensure that the user authenticated within a specific timeframe. Unlike the session idle timeout (which resets with activity), max_age is always measured from when the session was originally created.

Example

Section titled “Example”
GET /auth/authorize?
  client_id=my-app&
  redirect_uri=https://my-app.com/callback&
  response_type=code&
  scope=openid&
  max_age=120&
  code_challenge=...&
  code_challenge_method=S256