SuperTokens

SuperTokens

  • Docs
  • Discord
  • Blog

›Sessions

SIDEBAR_REPLACE_DOC_Introduction

  • Introduction

Quick setup

  • Video tutorial & Architecture
  • Frontend
  • Backend
  • Core

    • Core Overview
    • Self Hosted setup with Docker
    • Self Hosted setup without Docker
    • Managed Service

    Database Setup

    • MySQL
    • PostgreSQL

Common customizations

  • Sign Out
  • Sign Up Form

    • About
    • Adding Extra Fields
    • Adding / Modifying field validators
    • Embed in a page
    • Handling signup success
    • Terms of service & Privacy policy links

    Sign In Form

    • About
    • Adding / Modifying field validators
    • Password managers
    • Embed in a page
    • Show Sign In by default

    Reset Password

    • About
    • Reset password email
    • Embed in a page

    Email Verification

    • About
    • Customising the email sent
    • Embed in a page

    Sessions

    • About
    • Cookie Consent
    • Creating a new session
    • Session Verification in API
    • Change session timeout
    • Checking if a session exists on the frontend
    • Get user information on the frontend
    • Using with FaunaDB

    Styling

    • Changing Colours
    • Changing Style via CSS
    • Themes

    Changing base path

    • Website Base Path
    • API Base Path

    Multi Tenancy

    • About
    • One login, many sub domains
    • One login per sub domain
  • User Pagination

Advanced users

    Advanced session management

    • Share sessions across sub domains
    • Anti CSRF
    • JWT Signing key rotation
    • Access token blacklisting
    • Customizing Error Handling

    Supertokens Core config

    • Adding API Keys
    • Tuning Performance
    • Logging
    • Rename database tables

    Make your own frontend

    • Sign-up / Sign-in custom theme
    • Reset password custom theme

    Make your own backend

    • Sign up custom API
    • Sign in custom API
    • Reset password custom APIs

NextJS

  • SuperTokens with NextJS
  • Deploy with Vercel
  • Deploy with Netlify

SIDEBAR_REPLACE_DOC_SDKs

  • SDKs

SIDEBAR_REPLACE_DOC_Compatibility Table

  • Compatibility Table

Migration

  • Migrating from an older version of SuperTokens
  • Migrating to SuperTokens
  • Migrating away from SuperTokens
  • From managed service to self hosted

Session management

If you have completed the Quick setup, you have already setup session management within your application.

SuperTokens provides a very secure session management out of the box. We prevent many session attack vectors like:

  • XSS (by using httpOnly cookies)
  • Minimises damage from JWT signing key compromise.
  • Minimises damage from session data theft from database.
  • Reliable detecting of session hijacking.
  • CSRF attacks
  • Brute force attacks
  • Session fixation

Overview of session flow ✨

  • After sign in, a new session is created by issuing a refresh and access token to the frontend.
  • The frontend sends the access token for each API call that requires session authentication.
  • These API calls verify the access token and its expiry. If verification fails, the API throws a session expired error, else, execution continues.
  • If an API throws session expired error, the frontend uses its refresh token to get a new refresh and a new access token. This is done via a special API on your backend. If a session has been revoked, this API will also throw session expired after which the user will have to login again.
  • After obtaining a new set of tokens, the frontend retries the original API call, yielding the desired result.
  • To revoke a session, the backend removes the refresh token and its session information from its database.
← Embed in a pageCookie Consent →