Question: Session length when using magic links

In the manual when you login using a username, password combo you have two session options depending on ticking the box.

How long is the session duration with a magic link?

image1730×1299 181 KB

good question…I have no idea, and I’d imagine Bubble support might be the best source for a definitive answer, and would love to know what they report back to you.

Ive asked support, ill report back what they say.

I do however think it is longer than 24h, but would like to know for certain incase i have users with active sessions on multiple devices for 365 days all over the place. Thats not an ideal security solution.

They should give option of keeping logged in or not to be consistent across the platform.

agreed, there needs to be a bit more formality about how session times are managed. Hopefully the 2nd tier support can guide us on this shortly and update the documentation.

Bubble.io support

"The magic login link will allow a user to remain logged into your app for 365 days. Currently, there isn’t a way to shorten this user session. If you have 2Factor Authentication enabled for your app, then the user would still get redirected to the MFA page and can have 30 days as an option. In addition, the magic login link itself can expire within 24 hours, depending on your configuration of the action.

I’ve also shared this information with our documentation team so that our manual can be updated to include this. Please do let me know if there’s anything I can clarify further!"

So there we have it @boston85719

Now based on this answer and considering I capture the magic link and resend this to the user I need to consider a few things.

Delete or suspending the user required and auto log out of all sessions and in the case of a suspend i should change the users email address to be a system unique email address that doesn’t exist on a temporary pre-delete basis.

Consider 2 factor as above.

Only allow the user to have one session logged in at a time, e.g log the user out of all sessions when they request a magic link.
This is probably important as well as the user could (and i have tried it) be logged in, then request a magic link and forward to someone else who can log in as them and continue to use their account indefinitely. This is fine depending on your site, but not ideal for other paid services.

Consider a routine where the user has one session and a log in time is captured when the magic link is used and all other sessions are logged out. Then, after a set period of time using db triggers log the user out of the active session (and maybe all sessions to be sure).

Keep a log of magic link request per user? then alert me if there are abnormal requests (spam), maybe implement captures.

Anyone else think of other things the should be considered?

Sounds like the focus here is ensuring users are not sharing their accounts, so perhaps some browser tools that capture the IP address (of course one user can have multiple when they login via a cafe or something) but also the device details (thought is likely same user has one or two devices max they login from) to be able to cross check if IP and device are different, perhaps that is indication they maybe sharing their account…in which case, you could force them to do a password reset, which when people share accounts is likely to help them reconsider if they are forced to password reset if you detect abnormal situations.

I dont actually have any passwords… its pure magic links

When they get the link there is an intermediary page (due to an issue with Microsoft outlook corporste security following and invalidating the links before they’ve clicked, another forum post).

So when they get here i can just run an auto logout all other sessions but this new one.

Then update the logged in date and time on the user and have a database trigger that looks at the last login time + arbitrary date, time (yet to be decided) that logs out all sessions including current so they are forced to request the link at some time.

That should do the trick, i think

Interesting. What’s the use case?

the use case for no passwords?

If this is what you mean, then

• passwords can be shared
• are often forgotten and reset causing a painful reset process, plus less work for me in theory.
• no password (is in theory) are more secure as they require access to the registered email account, no brute password cracking.
• I can create custom session length for a sub set of users (you can probably do this with a password, however I just thought of this and wanted to log it for my future reference ).

I thought I would add to this for my reference and others.

Magic links can be shared (if not clicked) when the user receives one in the email (similar to passwords being shared between users), so if you are to create a passwordless system (as I have) and you only want a single user session, consider when they login via a magic link on a dedicated page logging them out of all other sessions.

or when create a new date time stamp on the user record for when a new session is started and use a database trigger to log out of all other sessions.

Considering the sessions can last 365 days, this could allow users to unwillingly have rouge access to their accounts on shared machines.

Have you thought of charging on something other than users, consumption of some sort?

Hey RPSM, in this particular use case its more of a security thing, rather than a cost thing. In both the password (checked option) and the magic link leaving the user to have a 365 day session on an unlimited number of logins.

I just think depending on how people suspend, soft delete, or even remove users it is probably good practice to clear the sessions for them using a backend workflow and then have a trigger on the page to send a page refresh. Also on the page(s) check if the users is logged out, and redirect if that is the case

Interesting. I was looking to see if there was a way I could force suspend users, and while I take away viewing rights, this is a good user experience.