GitHubSupport

Session Management

API Version: 1.0.0

Overview

DoneIsBetter SSO uses secure HTTP-only cookies for session management, providing robust security while maintaining a seamless user experience across your applications.

Session Lifecycle

1. Session Creation

Sessions are created upon successful authentication and contain:

  • Unique session identifier
  • User information
  • Permissions
  • Expiration timestamp

2. Session Validation

// Validate current session
const sso = new SSOClient('https://sso.doneisbetter.com');
const session = await sso.validateSession();

if (session.isValid) {
  console.log('Session expires at:', session.session.expiresAt);
  console.log('User:', session.user);
} else {
  console.log('Session is invalid or expired');
}

3. Session Expiration

Sessions automatically expire after:

  • 30 minutes of inactivity
  • 8 hours from creation (maximum lifetime)
  • User explicitly signs out

Automatic Session Refresh

Implement automatic session refresh to maintain user sessions during active use:

function setupSessionRefresh() {
  // Check session every 5 minutes
  setInterval(async () => {
    const sso = new SSOClient('https://sso.doneisbetter.com');
    try {
      const result = await sso.validateSession();
      if (!result.isValid) {
        // Redirect to login or handle expired session
        sso.redirectToLogin();
      }
    } catch (error) {
      console.error('Session refresh failed:', error);
    }
  }, 5 * 60 * 1000);
}

Cross-Domain Sessions

To enable SSO across multiple domains:

  1. Register all domains with DoneIsBetter SSO
  2. Configure CORS settings for each domain
  3. Ensure consistent cookie settings across domains
// Example domain registration object
{
  "domain": "your-app.com",
  "environments": {
    "development": ["localhost:3000"],
    "production": ["app.your-domain.com"]
  },
  "settings": {
    "sameSite": "None",
    "secure": true
  }
}

Security Considerations

  • All cookies are HTTP-only and secure
  • Session IDs are cryptographically secure
  • Sessions are invalidated upon sign-out
  • IP binding is optional for additional security
  • Rate limiting is applied to all session endpoints

Best Practices

  • Implement proper error handling for session operations
  • Use the provided client library for consistent behavior
  • Monitor session events for security purposes
  • Regular validation of active sessions
  • Proper cleanup on application shutdown

Troubleshooting

Common Issues

  • Session not persisting: Check CORS and cookie settings
  • Frequent session expiration: Verify refresh mechanism
  • Cross-domain issues: Confirm domain registration