Just one more thing: Session renewal

[pilcrowonpaper]

Hi, everyone!

I'm pretty happy with how beta of version 2 is coming along, and there's just one more minor breaking change left (#772). I'll be slowly adding new OAuth providers and maybe adapters from the backlog after that.

...but, there's one more thing I'd like to change; something I've been thinking about on and off since before v1. It's a big change internally but won't be a breaking change for like 99% of users.

I'm considering removing session renewal (with an asterisk). It's one of the more annoying parts of Lucia. With this change, we won't have to set a new cookie after session validation (= Next.js 13 will just work), and for native apps, we just removed race conditions and renewal requests. In other words, it'll just make Lucia easier for everyone.

So what's the replacement? Simple, instead of creating a new session whenever a session is idle, we just extend the active and idle period expiration. It's still just renewing sessions, just that we're re-using old ones. The only downside to this is that if a session id is stolen unnoticed, it'll be valid until the user signs out. However, you generally have bigger issues if someone has access to your device.

That said, for apps that require strict security measures, you now can add absolute timeouts to sessions with the newly introduced session attributes. You can also limit the device and location the session can be used by keeping track of user agents and IP addresses. And if you really need a new session id to be created, you can implement it manually.

Finally, to my understanding, Github.com and NextAuth uses this approach, so it's not something new.

The only breaking change is removing Auth.renewSession(), but I think most people just use AuthRequest.validate().

[Quatton]

A really nice approach to me! I use Next.js' App router at the moment and this looks like an overall improvement.

[ilkkanisula]

I guess most initial implementations just renewed session automatically and try not to bother end user. This was adding lots of extra code to make machine happy. New approach sounds more simple one and will lead to better DX.

[WangHansen]

This is probably a noob question but I can't really find answer in the doc. What is the purpose of having an idle exp time and active exp time?

I can understand that when it comes to token. Refresh token is used to fetch a new access token and access token is used to authenticate the request.

But when it comes to session, why do we need 2 different expiration time? Why can't we just have one expiration time that gets extended every time we have a request coming in before the session expires? The document says Lucia’s sessions are a combination of both. Active sessions are your access tokens, and idle sessions are your refresh tokens. But I can't really wrap my head around this.

Any help is appreciated!

[pilcrowonpaper]

Without idle expiration, Lucia will try to attempt to extend the session every time you validate the session, and that's super inefficient. I do think we can get rid of them in v3 but that's for another discussion.

[WangHansen]

Is it because db write is slower than db read so that it is inefficient? From my understanding, in order to validate session right now. A database lookup is still needed so no database round trip is saved.

[pilcrowonpaper]

You'd need to first read the session, and then make another query to update the session expiry every single time.