Handling multiple session / Updating a session?

[maxpaleo]

All right, I decided to start a discussion as I have I been going through the docs for days, but still don't understand some of the Core Lucia concepts, or how to handle sessions correctly.

I'll first summarize the application structure:

The app has a standard sass structure with both users and organizations. Users are authenticated and have their own account, but can also belong to an organization.

For user authentication: everything is set up correctly, but everything I've tried to handle org sessions has failed so far.

Here is what I've tried:

1. I tried creating 2 instances of lucia (lucia and luciaOrg), each with their own adapter and type. This didn't work, even though I would luciaOrg.createSession(user.id, properties) for example, it would still create it under the lucia instance. Quite confusing because no error is thrown when doing this, but I understand that it isn't possible to do based on a dicusssion in this repo. (One comment does mention he was able to do this though, which makes it all the more confusing).

2. I've tried creating a new session when the user switches the org using and set the cookie with a custom cookie name of access-org-[ORGID]. I create a new session with the properties for the organization id and the user role.

The session gets created, and I then set it in a new cookie, but when I validate the cookie session and return the data, it does not contain any of the data I just set. It still contains the default data that was set when the user signed in.

I don't know why this is. Does Lucia always refer to a single session per user? If yes, does it only take the first session or the last session? Is it possible to "overwrite" a session in general"?

  const properties = { // Properties for the org session. 
    organizationAccess: {
      organizationId: relation?.organizationId,
      role: relation?.account_type,
    },
  };
  
   session = await lucia.createSession(user.id, properties); // New org session created. 
  

3. I tried the same process explained in point 2 but by using the same cookie name for the session, with the goal of essentially "overwriting" the existing cookie with the previous data but with the new data for the org access.

This also does not work. It does correctly create the session in the db, and sets a new cookie with the same name, but none of the data passed in this new session is included. The data is still that of the first created session.

Below are the database attributes I defined. Ideally, I would like to create an entire new structure for organization access sessions, but I understand that this isn't possible, so the only option seems to be to modify the default user session structure, and add properties to manage organization access.

export interface SessionData {
  email: string;
  github_id: string;
  email_verified?: Date | null;
  missing_data: boolean;
  last_active_organization: number;
  organizationAccess: { // The org id and role can be null. These are only set when the user access an org. Doesn't currently work however. 
    organizationId: number;
    role: UserRole;
  };
}

I would really appreciate if the above could be clarified and or if there was a general summary of how to handle multiple sessions or updated sessions.

Additionally:
These aren't questions related to what we're trying to set up, but it would be really useful if the docs could cover these topics, as I've seen these questions being asked by devs all over the web, but many remain unanswered or contain confusing answers.

1. Multiple sessions. I now know that it isn't possible to create multiple Lucia instances to handle different type of sessions after seeing one discussion in the GitHub repo, it would be handy to have this in the docs with some information on how to best handle them, and also clearly state in the docs that this isn't possible because no errors are thrown when trying this.

2. Updating sessions. The docs don't mention updating sessions, which I've also seen several people ask, and I can't seem to get to update a session's data.

3. Custom IDs: The docs briefly mention the ability of setting custom ids, but it would useful to explain why this is even an option. Is this related to different sessions?

4. The docs mention setting a blank cookie when deleting a session; but don't explain why. Again: it might be an obvious answer, but since the docs to cover it, devs might ask themselves if issues they are having are related to this.

5. Cookie names: This might but obvious, but the docs don't cover them at all. Is it recommended to use custom cookie names or should cookies always be set using the name provided by the created session cookie? A brief section about custom cookie names might be useful to add to the docs.

6. Handling multiple identical. Nothing covers how Lucia handles multiple identical sessions. For example: if you "update" the auth_session by creating a new one with the previous data, but overwrite it with some new data and don't invalidate the previous session, which session does Lucia refer to? Again: it might seem obvious, but I spent hours trying to figure this and still don't have an answer and am not sure if this relates to me not being able to set new session properties. Does it rely on first session? Or the last session?

[maxpaleo]

Here is a recording on the above as well: https://www.loom.com/share/c2da5b08edc849a6b01b9872da16d063

[noxify]

Tried it shortly with our internal app.

First, I just updated the record in the session table ( via TablePlus ) and reloaded the page --> the session information was updated.

Then I tried to use a server action to create a new session:

import { cookies } from "next/headers"
import { redirect } from "next/navigation"
import { auth, lucia } from "@acme/auth"

export default async function Page() {
  const { user } = await auth()

  if (!user) {
    redirect("/auth")
  }

  return (
    <>
      <button
        onClick={async () => {
          "use server"
          const newSession = await lucia.createSession(user.id, {
            companyId: 4567,
            ipAddress: "127.0.0.1",
            userAgent: "Chrome",
          })

          const newCookie = lucia.createSessionCookie(newSession.id)

          cookies().set(newCookie.name, newCookie.value, newCookie.attributes)
        }}
      >
        Update session
      </button>
    </>
  )
}

But here I got the following error message:

Error: Connection closed.

I didn't checked how to solve it ( if it's solvable ).

Last one was to create a new api route with the following code:

import type { NextRequest } from "next/server"
import { cookies } from "next/headers"

import { lucia } from "@acme/auth"

export async function GET(req: NextRequest) {
  const sessionId = req.cookies.get(lucia.sessionCookieName)?.value ?? null

  // no cookie exists
  if (!sessionId) {
    return new Response(null, {
      status: 302,
      headers: {
        Location: "/auth",
      },
    })
  }

  const { user } = await lucia.validateSession(sessionId)

  if (!user) {
    return new Response(null, {
      status: 302,
      headers: {
        Location: "/auth",
      },
    })
  }

  const newSession = await lucia.createSession(user.id, {
    companyId: 4567,
    ipAddress: "127.0.0.1",
    userAgent: "Chrome",
  })

  const newCookie = lucia.createSessionCookie(newSession.id)

  cookies().set(newCookie.name, newCookie.value, newCookie.attributes)

  return new Response(null, {
    status: 302,
    headers: {
      Location: "/",
    },
  })
}

And in the Page, I have the following Link:

<Link href={`/api/update-session`} prefetch={false}>
  Update Session
</Link>

I had to reload the page, but then, I have seen the new created session in the terminal log.

Tbh. not sure if this solves your problem, but maybe it gives you some inspiration to solve it.

[maxpaleo]

Hi @noxify , thanks for the answer; I am not entirely sure how this relates to what I originally wrote, but let me clarify:

What you are showing above is a button that, when clicked triggers your update session function (Api route), and then stores the new session in a cookie with the default name auth_session, right?

So you now have 2 sessions in the db, and when you validate the session, does it contain the updated data?

[maxpaleo]

Here is another video that shows the exact process of how I am trying to update the session, but none of the data is actually getting updated: https://www.loom.com/share/2a037d3cd6284323b0efe53d7b0f658b

[noxify]

Hi @maxpaleo,

sorry for the delayed answer. There was an issue in the mobile app and I wasn't able to send you my prepared text 🙈

Have seen that you have closed this discussion, I assume you have found a solution?

Here the answer from last night:

---

Thanks for the video - I understand your pain points with the documentation.
I think this will be fixed in the future or isn’t relevant in the future if Lucia will provide only a wrapper and we can define the database connection by our own, which would also solve some other problems e.g. providing relationships in the user object.
( #1639 )

If I'm not wrong, the session information is always fetched from the session table.

If you want to store some additional information in the session, you have also to create the field(s) in the session table, too.

In the past I created a template for turborepo w/ lucia-auth ( based on the t3-turbo repo ) and I created an example for some additional fields ( mainly to provide a list of active sessions for the user )

Drizzle schema with some additional fields for the session table:
https://github.com/noxify/t3-turbo-lucia/blob/main/packages/db/src/schema.ts

And here the Lucia configuration:
https://github.com/noxify/t3-turbo-lucia/blob/main/packages/auth/src/index.ts

So you now have 2 sessions in the db, and when you validate the session, does it contain the updated data?

In our internal app, we‘re using the same code, just with prisma - so it seems that validating the new session is working, since the validateSession is called everytime when auth() will be called ( e.g. in a page or in a api route )

But yes, I have now two sessions for the user - We could delete the old one ( or expire them and using a scheduled job for the cleanup )

---

Hope that helps ✌️

[maxpaleo]

Hi @noxify ,

Thanks for the reply.

I finally managed to figure out how Lucia works, the entire time i was trying to set attributes to the user attributes instead of the session attributes. I am not sure why these elements aren't type safe though.

I now understand how things work, but yes, as previously mentioned, the docs are truly lacking. I could have grasped the entire thing in 30 min instead of a week if there had there been a clear structure to the docs.

I've mentioned what I feel is lacking in my previous message but if I can share some additional recommendations:

1. In the intro and getting started, rather than immediately getting into the technical bits, start by offering a high level real-life example of what a session is, how Lucia manages them and what problem they solve. I know that this might be obvious to the person that wrote the lib, but it isn't always for the dev using it, and getting a high level overview helps with immediately understanding what it consists of.

2. A search function in the docs would be quite useful.

3. The Lucia class methods are all "hidden" in the docs under API > lucia > Methods . I am not sure why they would be so out of sight considering these are the main lib functions. Again: this might be obvious to the person that wrote the lib, but these small things end up taking devs hours of exploration work instead of minutes.

4. All of the Lucia versions have their docs visible online on different domains. Maybe a minor detail, but when I first started using it, I was referring to the V2 docs since I searched for "Lucia docs" on google, and spent hours writing code based on those docs. It might be worth putting everything under a single domain and version the docs per lib version.

5. As mentioned earlier as well: JS docs, and more typesafety. I know all devs don't pay the same importance to this, but I think everyone can agree that they offer a better dev experience in general. I personally always include a JS doc description + bullet point of everything to not for each function, method, etc so that other devs immediately understand what something does without having to consult the docs.

But hey, this is just how I see things, but on the other hand: the lib itself is really cool. 👍🏼