We’re implementing authentication with users on both mobile and web platforms. We need mobile sessions to be long (persistent log in on their personal device) and web sessions to be short. This is a potential blocker since i don’t see any mechanism to support this. Any recommendations?

Hi @fancy-oil-87995 Hmm, we don't have a setting to distinguish between native and browser based sessions. But maybe what you could do is set the session to a really long time and then have your backend service (middleware) manage refreshing the session on browser flows. https://www.ory.sh/docs/kratos/session-management/refresh-extend-sessions#forcing-session-refresh when a session is force refreshed, the user is required to log in again.

Thanks for the suggestion. If one user authenticates twice (e.g. once on web, and once on a native app) will they have two distinct sessions, such that just the web session could have a force-refresh applied?

yes!

Ok, good. Having two sessions is a key piece. Alright, this feels a little bit hacky, but seems like the options are a) default to short sessions then periodically extend some sessions with an administrative cron job on the backend using extendSession b) default to long sessions then shorten some as an administrative service using forceRefresh Seems like b) might be simpler choice between the two?

Yes, option b seems simpler. Your backend can do a quick calculation based on the session issue date and determine if there should be a refresh or not. You will also most likely do refreshes based on certain actions, e.g. delete my organization

That’s helpful. Alright, think this approach will work for us.