Best way to detect whether user has any existing sessions?

What’s the best way to detect whether a user has any existing sessions?

Any ideas on this as we want users to only have one session at any one time on one device.

Hi @James-Distology,

It primarily depends on how you’re defining an existing session for your app. Some applications utilize tokens for session management, while others rely on the Okta session cookie.

I’d encourage you to explore the /sessions endpoint, as you will be able to retrieve a user’s current session via the API.

1 Like

It could be either using OAuth or using traditional Okta session cookies.

The Session endpoints only returns the current session, I can’t find a way to list all users sessions?

For OAuth, I can’t find a way to check if a user has any other existing sessions either.

Hi @James-Distology,

You can query for existing end-user sessions by listening to session start events via System Log API. Then, you can terminate the user session using the clear session API.

Hope this helps!

Thanks.

Would this work for any sessions done via OAuth as well?

Primarily depends on the OAuth 2.0 flow used.

As an example, if users are redirected through Okta for authentication, a session will be established - and visible.

However, if you’re using grant_type=password, you’re requesting tokens directly from the /token endpoint, and no Okta session will be present. In that case, you’ll have to monitor the state of the tokens in your backend application, and delete/revoke when necessary.