Hanko 1.1 is here, introducing optional server-side sessions as an alternative to the previous approach of just issuing JWTs, together with a bunch of small improvements and bug fixes.
With a new setting located in the Session menu in Hanko Cloud, server-side sessions can be enabled or disabled. Alongside this setting, we've added a /sessions endpoint to the public API.
If server-side sessions are enabled (the default for new projects), sessions are stored in the DB, displayed on the user's profile, and can be revoked by the user. Note: To be able to use the advantages of server-side sessions, it is necessary to always validate JWTs via the new /sessions endpoint.
A sessions list has been added to the <hanko-profile> element. Here, users can monitor their sessions and revoke them remotely. The session data displayed includes the operating system and browser used (retrieved from the user agent string), the IP address, and a the date on which the session was last active.
Admins can now control how many active session are allowed per user. This can be relevant in certain use cases, e.g. if only a single session should be permitted.
