Revocable sessions

[sorin-davidoi]

As discussed in #3243, this introduces revocable sessions as explained here.

Left to do:

• Expose the maximum number of sessions as a configuration option (in config/environments?)
• Make tests pass (see this discussion)

[sorin-davidoi]

Where should the maximum number of session be set? Was thinking of config/settings.yml, but it seams that all those options are configurable from the Web UI.

[Gargron]

@sorin-davidoi Probably a config/initializers/ file. What maximum number of sessions do you mean though? Why should there be a maximum?

[sorin-davidoi]

With this modification, each login creates a new entry in the session_activations table. If the user frequently switches devices (or uses "private browsing" or just logs in frequently), I imagine this could lead to some space problems. So we place a limit on the number of active sessions (if LIMIT is 5 and your current login creates the sixth session, the first one gets deleted).

[Gargron]

@sorin-davidoi I wonder if it would be more appropriate to store sessions in Redis rather than Postgres.

[sorin-davidoi]

Not familiar at all with Redis, but I guess that would make #3243 harder? We need to link the subscription to the session that created it, to make sure that they get deleted together.

[sorin-davidoi]

Added the configuration option (defaulting to a maximum of 10 active sessions per user).

[sorin-davidoi]

Anything else I can do here to help with this?

[Gargron]

It'd be cool to have some input from @mjankowski or @krainboltgreene on this, looks okay to me but perhaps they had to implement something similar for different applications.

[sorin-davidoi]

Rebased, moved the migration date to today (I guess this is the right thing, correct?).