Handling multiple sessions across devices
How multiple devices is generally handled? I expect my users to login in three devices at once (iPhone, iPad and Web). That said, the Pro function (enforce a single session per user) would not work here. On top of that, I really need to prevent abuse from my users, as there cannot be unlimited active sessions.
5 Replies
On Free there are unlimited active sessions.
On Pro there is only the single session limit.
There is nothing documented on the process.
I've seen a couple of users at least think about using the auth.sessions table with a trigger to count the session per user and limit that way. I don't recall if they said it worked. BUT you would be messing around in an area that is not documented and could change on you with notice.
Is there any plan of increasing this single session limit on Pro?
No one here could comment on that as we don't know Supabase's plans.
how about using this trigger? any chance it would work?
FOR EACH ROW AFTER INSERT ON auth.sessions WHEN (NEW.user_id IS NOT NULL) BEGIN DECLARE session_count INT; SELECT count(*) INTO session_count FROM auth.sessions WHERE user_id = NEW.user_id; IF session_count > 3 THEN -- Delete oldest sessions beyond the newest 3 DELETE FROM auth.sessions WHERE user_id = NEW.user_id AND id NOT IN ( SELECT id FROM auth.sessions WHERE user_id = NEW.user_id ORDER BY created_at DESC LIMIT 3 ); END IF; END;yeah, I've run it on test environment and I can confirm it works as expected
Good, Just remember though to have it as the first thing you check if you starting getting auth errors. Supabase can and has changed the internal table structure without notice as most of this is not documented for external use.