Better way for manage user sessions

[iraniamir]

i think if we have some changes in code to when user request for login, check this user for active session with same user agent and if have, system dont create new session and reply that active session exist ... github sessions working like that !

[gregfrasco]

I have written code to do that before but didn't make it in.

frame/server/api/login.js

Lines 87 to 108 in 9e5a5b9

	assign: 'existingSession',
	method: function (request, reply) {
	const userAgent = Useragent.lookup(request.headers['user-agent']);
	const ip = request.info.remoteAddress;
	const browser = userAgent.family;
	const os = userAgent.os.toString();
	Session.findOne({
	userId: request.pre.user._id.toString(),
	ip,
	browser,
	os
	}, (err, session) => {
	if (err) {
	return reply(err);
	}
	return reply(session);
	});
	}

[jedireza]

Yeah we should add this. One thing I would add... let's not use the ip as part of the unique identifier for the device. For example my phone is the same browser/session but can be on multiple IPs per day.

[jedireza]

In the next version of Frame I've simplified session handling a bit. I've removed the revoked property from sessions and also decided (for now) not to include any restoring session logic (this issue) by default.

I intend for Frame to be generic. This results in less opinions forced on other people and also less to maintain. For example; we're using hapi-auth-basic which I don't recommend that anyone use. In 100% of my use cases I remove hapi-auth-basic as almost the first step. In some cases hapi-auth-cookie with keep alive configured has a really good session retention experience for me.

Thanks again for getting involved.