Skip to main content

Session management

Sessions can be managed by:

  1. The user who owns the session through self-service endpoints
  2. System administrators through administrative endpoints

Self-service

Self-service session management allows users to manage their accounts on their own, without any administrative intervention. Each user can manage only the sessions tied to their accounts.

note

When performing these operations, remember to include the Ory Session Cookie in the requests. When calling the endpoints from a proxy or middleware, make sure to forward the cookies sent to the proxy/middleware. When calling these endpoints as AJAX calls, make sure to include credentials and configure CORS properly.

Listing all active sessions

You can show users a list of all of their active sessions using the session listing API from the SDK. The API returns a paginated response. Optional parameters allow to get a specific page and define the number of items shown on a single page.

tip

You can use this call to build a user interface (UI) that shows users their active sessions.

package main

import (
	"context"
	"fmt"
	"github.com/ory/client-go"
	"os"
)

func init() {
	cfg := client.NewConfiguration()
	cfg.Servers = client.ServerConfigurations{
		{URL: fmt.Sprintf("https://%s.projects.oryapis.com", os.Getenv("ORY_PROJECT_SLUG"))},
	}

	ory = client.NewAPIClient(cfg)
}

func GetActiveSessions(ctx context.Context, sessionToken string) ([]client.Session, error) {
	// Page and Per Page parameters are optional
	activeSessions, _, err := ory.FrontendApi.ListMySessions(ctx).
		XSessionToken(sessionToken).
		Page(1).
		PerPage(10).
		Execute()
	if err != nil {
		// error fetching active sessions, for example due to expired session token
		return nil, err
	}

	return activeSessions, nil
}

Revoking a specific session

You can revoke specific sessions using the revoke session API. This allows users to log out from their account on different devices or terminate sessions they don't recognize and suspect of malicious activity.

Sessions revoked by users are not deleted from the system. Instead, they become inactive. Only administrators can delete sessions using the administrative endpoints.

info

This API can only revoke sessions other than the current session. To revoke the current session, use the self-service logout.

package main

import (
	"context"
	"fmt"
	"github.com/ory/client-go"
	"os"
)

func init() {
	cfg := client.NewConfiguration()
	cfg.Servers = client.ServerConfigurations{
		{URL: fmt.Sprintf("https://%s.projects.oryapis.com", os.Getenv("ORY_PROJECT_SLUG"))},
	}

	ory = client.NewAPIClient(cfg)
}

func RevokeSession(ctx context.Context, sessionToken string, sessionToRevokeId string) error {
	_, err := ory.FrontendApi.DisableMySession(ctx, sessionToRevokeId).
		XSessionToken(sessionToken).
		Execute()
	if err != nil {
		// error revoking the session, for example due to expired token provided
		return err
	}

	return nil
}

Revoking all other sessions

To allow users to revoke all sessions other than the currently active one, use the revoke sessions API. Sessions revoked by users are not deleted from the system. Instead, they become inactive.

Only administrators can delete sessions using the administrative endpoints.

info

This API can only revoke sessions other than the current session. To revoke the current session, use the self-service logout.

package main

import (
	"context"
	"fmt"
	"github.com/ory/client-go"
	"os"
)

func init() {
	cfg := client.NewConfiguration()
	cfg.Servers = client.ServerConfigurations{
		{URL: fmt.Sprintf("https://%s.projects.oryapis.com", os.Getenv("ORY_PROJECT_SLUG"))},
	}

	ory = client.NewAPIClient(cfg)
}

func RevokeOtherSessions(ctx context.Context, sessionToken string) (*client.DeleteMySessionsCount, error) {
	revokedSessionsCount, _, err := ory.FrontendApi.DisableMyOtherSessions(ctx).
		XSessionToken(sessionToken).
		Execute()
	if err != nil {
		// error revoking the sessions, for example due to expired token provided
		return nil, err
	}

	return revokedSessionsCount, nil
}

Administrative

Administrative session management allows privileged users to manage all sessions in the system.

info

You must use an API Key for all administrative session management operations. Read Authorization with API Keys to learn more about API Keys in the Ory Network.

Initializing the Go SDK client
package session

import (
	"context"
	"fmt"
	"github.com/ory/client-go"
	"os"
)

var ory *client.APIClient

func init() {
	cfg := client.NewConfiguration()
	cfg.Servers = client.ServerConfigurations{
		{URL: fmt.Sprintf("https://%s.projects.oryapis.com", os.Getenv("ORY_PROJECT_SLUG"))},
	}

	ory = client.NewAPIClient(cfg)
}

func ContextWithToken(ctx context.Context) context.Context {
	return context.WithValue(ctx, client.ContextAccessToken, os.Getenv("ORY_API_KEY"))
}

Listing all sessions

You can get a list of all sessions available in the system using the list sessions API from the SDK. The API returns a paginated response. Optional parameters allow to get a specific page and define the number of items shown on a single page.

Listing all sessions
package session

import (
	"context"
	"github.com/ory/client-go"
)

func GetSessions(ctx context.Context, pageToken string, perPage int64) (sessions []client.Session, err error) {
	sessions, _, err = ory.IdentityApi.ListSessions(ContextWithToken(ctx)).
		PageToken(pageToken). // Optional - token id
		PageSize(perPage).    // Optional - number of sessions per page
		Active(true).         // Optional - used to filter result for active or inactive sessions; not setting this returns all sessions
		Execute()

	if err != nil {
		return nil, err
	}

	return sessions, err
}

Listing all sessions of a user

Administrators can get a list of all sessions of a given available in the system using the list identity sessions API from the SDK. The API returns a paginated response. Optional parameters allow to get a specific page and define the number of items shown on a single page.

package session

import (
	"context"
	"github.com/ory/client-go"
)

func GetIdentitySessions(ctx context.Context, identityId string, pageNumber int64, perPage int64) (sessions []client.Session, err error) {
	sessions, _, err = ory.IdentityApi.ListIdentitySessions(ContextWithToken(ctx), identityId).
		Page(pageNumber). // Optional  -  page number
		PerPage(perPage). // Optional - number of sessions per page
		Active(true).     // Optional - used to filter result for active or inactive sessions; not setting this returns all sessions
		Execute()

	if err != nil {
		return nil, err
	}

	return sessions, err
}

Getting session details

Administrators can get the details of any session available in the system using the get session API from the SDK.

Get a session
package session

import (
	"context"
	"github.com/ory/client-go"
)

func GetSession(ctx context.Context, sessionId string, expandOptions []string) (session *client.Session, err error) {
	session, _, err = ory.IdentityApi.GetSession(ContextWithToken(ctx), sessionId).
		Expand(expandOptions).
		Execute()

	if err != nil {
		return nil, err
	}

	return session, err
}

Revoking a session

Administrators can revoke any session available in the system using the revoke session API from the SDK.

Disabling a session
package session

import (
	"context"
)

func DisableSession(ctx context.Context, sessionId string) (err error) {
	_, err = ory.IdentityApi.DisableSession(ContextWithToken(ctx), sessionId).
		Execute()
	return err
}

Revoke and delete sessions of a user

Administrators can revoke and delete all sessions of a specific user using the revoke and delete identity sessions API from the SDK.

note

This operation forcefully logs the user out of all their sessions and deletes all session data.

package session

import (
	"context"
)

func DisableAndDeleteSessions(ctx context.Context, identityId string) (err error) {
	_, err = ory.IdentityApi.DeleteIdentitySessions(ContextWithToken(ctx), identityId).
		Execute()
	return err
}