Skip to content
Rack Gateway

Sessions

Rack Gateway uses database-backed sessions to maintain authentication state after OAuth login. Sessions are designed for security, auditability, and revocability.

Session Architecture

Section titled “Session Architecture”

Session Characteristics

Section titled “Session Characteristics”
PropertyWeb SessionsCLI Sessions
StorageHTTP-only cookieConfig file
Default Lifetime5 minutes idle90 days
Expiration TypeSliding (activity-based)Fixed
CSRF RequiredYesNo
MFA SupportFullFull

Session Creation

Section titled “Session Creation”

Sessions are created after successful OAuth authentication:

  1. Generate token

    32 bytes of cryptographically secure random data, base64url encoded

  2. Hash for storage

    Token is SHA-256 hashed before database storage

  3. Record metadata

    • Channel (web or cli)
    • IP address
    • User agent
    • Device information
    • MFA status

  4. Set expiration

    Based on configured timeout and channel type

Session Token Format

Section titled “Session Token Format”
Raw token:    QnJ4R2pKM...  (43 characters, base64url)
Stored hash:  a4b2c8d9...   (64 characters, hex SHA-256)

The raw token is never stored. Even with database access, sessions cannot be hijacked.

Session Validation

Section titled “Session Validation”

Every authenticated request validates the session:

Validation Checks

Section titled “Validation Checks”
CheckDescriptionAction on Failure
Token existsSession found in database401 Unauthorized
Not revokedrevoked_at is null401 Unauthorized
Not expiredexpires_at > now401 + auto-revoke
Not idlelast_seen_at + TTL > now401 + auto-revoke
User existsAssociated user found401 + auto-revoke
User not lockedlocked_at is null401 + auto-revoke
User not suspendedsuspended is false401 + auto-revoke

Session Expiration

Section titled “Session Expiration”

Idle Timeout (Web)

Section titled “Idle Timeout (Web)”

Web sessions use sliding expiration based on activity:

Session Created: 10:00 AM
Last Activity:   10:03 AM
Timeout:         5 minutes
Expires:         10:08 AM (not 10:05!)

Each request refreshes the expiration, allowing continuous use without re-authentication.

Absolute Timeout (CLI)

Section titled “Absolute Timeout (CLI)”

CLI sessions have a fixed 90-day lifetime:

  • Longer lifetime for automation convenience
  • Activity does not extend expiration
  • Token must be refreshed by re-authenticating

Configuring Timeout

Section titled “Configuring Timeout”
Terminal window
# Set idle timeout to 15 minutes
RGW_SETTING_SESSION_TIMEOUT_MINUTES=15

The timeout is stored with each session, so existing sessions keep their original timeout when settings change.

Session Revocation

Section titled “Session Revocation”

Sessions can be revoked through multiple mechanisms:

User-Initiated Logout

Section titled “User-Initiated Logout”
Terminal window
# CLI logout
rack-gateway logout


# Web UI: Click user menu → Sign Out

Admin Revocation

Section titled “Admin Revocation”

Administrators can revoke user sessions:

  1. Web UI → Users → Select User → Sessions
  2. Click “Revoke” on specific session or “Revoke All”

Automatic Revocation

Section titled “Automatic Revocation”

Sessions are automatically revoked when:

  • Session expires (idle or absolute timeout)
  • User account is locked
  • User account is suspended
  • Password/MFA is reset (optional)

Programmatic Revocation

Section titled “Programmatic Revocation”
// Revoke by session ID
sessionManager.RevokeByID(sessionID, &revokedByUserID)


// Revoke all sessions for a user
sessionManager.RevokeAllForUser(userID, &revokedByUserID)

Session Metadata

Section titled “Session Metadata”

Each session stores metadata for security and auditing:

FieldDescription
user_idAssociated user
token_hashSHA-256 of session token
channelweb or cli
device_idOptional device identifier
device_nameUser-provided device name
ip_addressLast seen IP address
user_agentLast seen user agent
created_atSession creation time
last_seen_atLast activity timestamp
expires_atExpiration timestamp
revoked_atRevocation timestamp (null if active)
mfa_verified_atMFA verification timestamp
recent_step_up_atRecent step-up auth timestamp

Device Tracking

Section titled “Device Tracking”

Sessions track device information for the user to identify their active sessions:

{
  "device_id": "browser-firefox-001",
  "device_name": "Firefox on MacOS",
  "ip_address": "192.168.1.100",
  "user_agent": "Mozilla/5.0 (Macintosh; ...)"
}

Users can view their active sessions in the web UI under Account → Security → Active Sessions.

MFA and Sessions

Section titled “MFA and Sessions”

MFA Verification

Section titled “MFA Verification”

When MFA is required, sessions track verification status:

Session FieldPurpose
mfa_verified_atTimestamp of initial MFA verification
trusted_device_idReference to trusted device (if remembered)
recent_step_up_atTimestamp of recent step-up verification

Step-Up Authentication

Section titled “Step-Up Authentication”

For sensitive actions, users may need to re-verify MFA even within an active session:

  • Configurable step-up window (default: 10 minutes)
  • After step-up, recent_step_up_at is updated
  • Subsequent sensitive actions within window don’t require re-verification

CSRF Protection

Section titled “CSRF Protection”

Web sessions require CSRF tokens:

Token Derivation

Section titled “Token Derivation”
CSRF Token = HMAC-SHA256(secret, "csrf|" + session_token)

The CSRF token is derived from the session token using HMAC, ensuring:

  • Each session has a unique CSRF token
  • Token cannot be guessed without knowing the session
  • Validation is fast (no database lookup)

Validation

Section titled “Validation”

Web requests include CSRF token in header:

X-CSRF-Token: <token>

API requests with bearer tokens don’t require CSRF (token-based auth is inherently CSRF-safe).

Session Cleanup

Section titled “Session Cleanup”

Expired and revoked sessions are automatically cleaned up:

  • Background job runs periodically
  • Removes sessions where expires_at < now - 7 days
  • Preserves recent revoked sessions for audit purposes

Security Best Practices

Section titled “Security Best Practices”

Session Timeout Selection

Section titled “Session Timeout Selection”
Use CaseRecommended Timeout
High-security production5 minutes
Standard production15 minutes
Internal/trusted network30 minutes
Development1 hour

Monitoring Sessions

Section titled “Monitoring Sessions”

Monitor for anomalies:

  • Multiple concurrent sessions from different IPs
  • Sessions from unusual geolocations
  • Rapid session creation/destruction

Incident Response

Section titled “Incident Response”

If a session is compromised:

  1. Revoke immediately

    Admin revokes the specific session or all user sessions

  2. Lock account (if needed)

    Lock the user account to prevent new sessions

  3. Review audit logs

    Check what actions were taken with the compromised session

  4. Rotate secrets (if needed)

    If actions accessed sensitive data, rotate affected credentials

  5. Unlock and notify

    After securing, unlock account and notify user

Next Steps

Section titled “Next Steps”