Hosted Login session checking

Hosted Login includes the sid (session uuid) claim in each identity token it issues. For example, if a user logs on to website A, their decoded identity token will look similar to this:

{
	"acr": "urn:akamai-ic:nist:800-63-3:aal:2",
	"amr": [
		"pwd",
		"email",
		"mfa",
		"rba"
	],
	"at_hash": "ALXc_YDALIO5tZx-ylYSbg",
	"aud": [
		"64430515-01ea-4f5d-82e4-c36161af0093"
	],
	"auth_time": 1645632102,
	"azp": "64430515-01ea-4f5d-82e4-c36161af0093",
	"exp": 1645635706,
	"global_sub": "capture-v1://se-demos-gstemp.us-dev.janraincapture.com/79y4mqf2rt3bxs378kw5479xdu/GREG_DEMO/1093dc46-ec44-4e23-82c3-b2c22f7302db",
	"iat": 1645632106,
	"iss": "https://v1.api.us.janrain.com/e0a70b4f-1eef-4856-bcdb-f050fee66aae/login",
	"jti": "v6k0jxLefT7YkK8hJXjdlvjo",
	"sid": "40446321-b702-4bc0-97dc-fb458cf3dcc8",
	"sub": "1093dc46-ec44-4e23-82c3-b2c22f7302db"
}

The sid claim references the unique identifier assigned to the user's Hosted Login session. Equally important, that sid remains assigned to the user until their Hosted Login session ends.

👍

Important Concept

There can only be 1 Hosted Login session per user (uuid) at any given time. As a user logs in across various devices, those devices are bound to the same session. When a user logs out from a device, that device is unbound from the session, while other devices retain access to the session.

This architecture allows for a secure “Log me out everywhere” function because when the Hosted Login session is deleted, all device logins (“bindings”) are deleted with it.

For example, suppose a user logs on to a Hosted Login website and then navigates away from that site for a while. When they return, Hosted Login can retrieve the sid claim from their identity token, verify their session is still valid, and allow them back onto the site without requiring a reauthentication.

Note the user experience in the example above can vary depending on the prompt parameter in your authorization call:

• If you don’t use the prompt parameter, a user with a valid session will be waved through and a user without a valid session will be prompted to sign in.
• If prompt = none, a user with a valid session will be waved through and if there's no valid session, a No authenticated session found error will be returned. (You must trap for this error and redirect the user as desired.)
• If prompt = login, the sign-in screen is displayed regardless of session validity.
• If prompt = create, the account creation screen is displayed regardless of session validity.

👍

You can use prompt = none to create an unprompted single sign-on experience across distinct sites on the same device. For more information, see Single sign-on (SSO) in the Get Started guides.

When a user with a valid session signs in again, their sid remains the same (in this example, 40446321-b702-4bc0-97dc-fb458cf3dcc8).

The sid also remains the same across all devices the user signs in with. Hosted Login uses cookies to track devices that are bound to the same user session. See The logout button for more information about devices.

📘

This session check is just that: a check to see whether a valid session is still running. What the session check doesn’t do is restart the session clock. For example, suppose you allow sessions to run for 24 hours before they expire. Ten hours after starting a session, a user comes back to your website and a session check is performed. At that point, the user’s session will have 14 hours remaining before it expires: 24 hours minus the 10 hours that the session has been running. The session check does not reset the session to its full 24-hour lifespan.