Feature Request: Limit the number of sessions per user

[rlieberman2]

We are using lua-resty-session as a dependency of lua-resty-openidc-1.7.3, and would like a way to limit the number of sessions per user to defend against DoS attacks. Currently, it does not look like there is any implementation for this. Our IdM does not support such a feature, so we would like to check how many sessions a current user has, and only create a new one if a max limit is not reached.

[bungle]

@rlieberman2,

You mean if a single user is using multiple devices, or multiple processes or different browsers, you want the library to limit how many the user can open?

What happens when limit exceeds? User cannot login anymore? Or the oldest non-used session is deleted?

There are couple of issues.

1. the session library does not know what is stored in session and to what is the session bound
2. with cookies storage we cannot really delete the sessions as they only reside on the client and we don’t have revocation feature for that as it requires a db

To make this work:

1. we need to use some kind of server storage.
2. we need add something like session.subject = ”[user]” where the ”[user]” has to be provided by the app.
3. we need to have apis and perhaps configs to do actual implementation

You could probably do this on your own, that is on login store session id of user to user sessions table and delete the oldest if limit exceeds. If someone uses the deleted one, you need to call session:destroy.