Restricting Users to a Single Active Session in FusionAuth
-
We found that a single user can have multiple active sessions simultaneously, meaning a user can log in multiple times. Is there a configuration in FusionAuth to restrict users to a single active session?
-
Currently, FusionAuth does not have native support for limiting users to a single session. However, this can be achieved programmatically using API calls.
Steps to Restrict to a Single Active Session:
- User Logs In:
Upon a successful login, you will receive a new JWT for the session.
Retrieve Existing JWTs:
Use the GET /api/jwt/refresh endpoint to fetch all active JWTs for the user:GET /api/jwt/refresh?userId={userId}- Documentation: Retrieve JWTs
Revoke Other Sessions:
Loop through the retrieved JWTs and revoke all tokens except for the one associated with the most recent login. Use the DELETE /api/jwt/refresh endpoint to revoke each token:DELETE /api/jwt/refresh?token={token}- Documentation: Revoke JWT
Considerations:
- This approach assumes the most recent login session is the one you want to keep active.
- It requires handling session management programmatically on your end.
Feature Request:
There is an open request for native session-limiting functionality in FusionAuth. If this feature is important to your use case, you can upvote the request on GitHub:
GitHub Issue #1363 - User Logs In:
-
W wesley has marked this topic as solved on