Only opening a single session per user
sagivoulu opened this issue · 1 comments
I am using lua-resty-session
along side lua-resty-openidc
in order to authenticate users & create a session for them.
No our security team wants me to only allow a single session per user (The assumption is that if Alice has two sessions from two computers than one of these sessions must not be Alice).
Do you know how this can be done with lua-resty-session
? What I am thinking of doing is everytime a user logins and lua creates a session for him, I will search for another session with the same user id. if another session exists, the other session will be destroyed (Basically everytime Alice logs in from a new computer, all other older sessions get destroyed).
So any idea how this can be done? Is there an option to find a session object by content? something like:
session.find({user_id: "alice"})
P.S. I am storing the sessions in a shared redis instance
The 4.0.0 has store_metadata
option. Next we need to start using this data.