Skip to main content

Introduction

SuperTokens provides session management out of the box. We prevent many session attack vectors like:

  • Minimises impact of XSS attacks (by using httpOnly cookies for browser sessions)
  • Minimises damage from access token signing key compromise.
  • Minimises damage from session data theft from database.
  • Reliable detecting of session hijacking.
  • CSRF attacks
  • Brute force attacks
  • Session fixation

Overview of session flow

Flowcharts showing an overview of session flow
  • After sign in, a new session is created by issuing a refresh and access token to the frontend.
  • The frontend sends the access token for each API call that requires session authentication.
  • These API calls verify the access token and its expiry. If verification fails, the API throws a session expired error, else, execution continues.
  • If an API throws session expired error, the frontend uses its refresh token to get a new refresh and a new access token. This is done via a special API on your backend. If a session has been revoked, this API will also throw session expired after which the user will have to login again.
  • After obtaining a new set of tokens, the frontend retries the original API call, yielding the desired result.
  • To revoke a session, the backend removes the refresh token and its session information from its database.