Best Practices for Limiting Active User Sessions?
Hello Team,
We're using a cloud ZITADEL instance with a custom login UI and need guidance on managing user sessions. Our goal is to limit users to a maximum of two active sessions (like Netflix).
We've explored two ZITADEL API approaches, but both have challenges for our real-time needs:
Session Service API (v2):
When we list sessions, terminated sessions still appear, making it hard to identify truly active ones. For example, if a user has three sessions and terminates the second one, the API call to list the last two sessions returns the terminated second session and the most recent session, but not the oldest active one.
Reference: https://zitadel.com/docs/apis/resources/admin/admin-service-list-events
Event API:
We can see session.added and session.terminated events, but not events for sessions that expire automatically. Querying the entire event history for every request seems inefficient for real-time use.
Reference: https://zitadel.com/docs/concepts/eventstore/overview
Given this, we have a few questions:
1. What is the recommended, most reliable, and performant method to count a user's active sessions?
2. Are we misinterpreting the POST /v2/sessions/search endpoint? Is it the right tool for our use case?
3. Is there an event logged when a session expires due to inactivity (similar to session.terminated)? This would be crucial for accurate session counting if we rely on the Event API.
This is a general use case, so what is your recommendation for approaching it? Any suggestions would be greatly appreciated!
We're using a cloud ZITADEL instance with a custom login UI and need guidance on managing user sessions. Our goal is to limit users to a maximum of two active sessions (like Netflix).
We've explored two ZITADEL API approaches, but both have challenges for our real-time needs:
Session Service API (v2):
When we list sessions, terminated sessions still appear, making it hard to identify truly active ones. For example, if a user has three sessions and terminates the second one, the API call to list the last two sessions returns the terminated second session and the most recent session, but not the oldest active one.
Reference: https://zitadel.com/docs/apis/resources/admin/admin-service-list-events
Event API:
We can see session.added and session.terminated events, but not events for sessions that expire automatically. Querying the entire event history for every request seems inefficient for real-time use.
Reference: https://zitadel.com/docs/concepts/eventstore/overview
Given this, we have a few questions:
1. What is the recommended, most reliable, and performant method to count a user's active sessions?
2. Are we misinterpreting the POST /v2/sessions/search endpoint? Is it the right tool for our use case?
3. Is there an event logged when a session expires due to inactivity (similar to session.terminated)? This would be crucial for accurate session counting if we rely on the Event API.
This is a general use case, so what is your recommendation for approaching it? Any suggestions would be greatly appreciated!
Returns a list of the possible event types in ZITADEL. This is used to filter the event types in the list events request.
ZITADEL is built on the Event Sourcing pattern, where changes are stored as events in an Event Store.
