Single Device Session Handling Using NodeJS


Want to build an app with node.js that is secured and can be trusted by the user; seems you need to handle sessions…!!

What is Session…??

In the computing world, a session refers to a limited time of communication between two systems. It is a sequence of interactions between client and server, or between user and system. It’s the period during which a user is logged in or connected.
A session is established through a login procedure and terminated by a log-out procedure. A network administrator might limit the duration of a session, at the expiration of which the session will be timed-out, or terminated. A session may also timeout if no activity is detected for a preset period of time.

“Why to use session and what happens if not employed?”

Now as we have seen what is a session, how it is created and maintained. But now – a question arises why to use sessions?

This could be best answered by explaining what will happen if a developer does not use sessions in his app or website. Following are few problems developers face if they do not have session handling functionality in their applications:

  • Identifying users uniquely would be difficult
  • Storing the application current state for a user in server is a hefty task
  • This will make your user accounts vulnerable to thefts and threats .
  • That why we need to employ session as a functionality while developing applications.

There are many different NPM modules for handling and maintaining the sessions like passport, oAuth and express, these are very secured and enhanced with various other important functionalities but today we are going to try and handle this session by some custom build module which can be used according to your need.

Case Study:

Nowadays we all come across applications which demand that a single user can only log in from a single device at a time ie. a user will be logged out of all devices as soon as he tries to log in from certain another device; Just as is the case with Whatsapp.

In this blog, we will try to solve this scenario. Here are a few steps to help you –


  • Whenever a user will provide his/her credentials in the login screen of the app, check whether the user already exists in the database.
  • If yes, then match his credentials with the one that is stored in the database.
  • Now if this credentials also match then check whether the user exists in the “session_custom” table of the database.
  • The main play is here, if the user is found in this “session_custom” table remove his previous stored data from here to get him forced logout of all the other devices and store the user id with his new device id, device type, and random token with a destroy time(specifies the time for how long user will be allowed to be logged in the device before his session expires) and if the user session does not exist in the database just save his new data.

Validating Sessions:

After a user successfully logs in to the app we need to handle his session, and before every API call, we have to check and match this random token which is stored in the “session_custom” table for the user and update the destroy time. If the token is a valid one and haven’t have expired yet, we can allow the user to access the application features, else the user has to log in again.


Once the user clicks on the logout button we will remove his data from the “session_custom” table and the user will be redirected back to the landing page of the app.

Signing Off!!

Hope we were able to solve the case in study. Feel free to ask any questions you have regarding this blog. See you soon with some more new stuff till then keep coding.

Arijit Sarkar

Arijit the guy-next-door is a software engineer at Innofied. He definitely loves coding and enjoys his daily meetup with Java, JavaScript, Node.js, MongoDB, Mongoose, C, etc. But what keeps him fresh and alive is music, friends, online chatting and a game of football.