March 25th, 2015
Announcing New Enhanced Sessions
At Parse, we're constantly striving to provide the tools you need to make your app more successful. One of the most important aspects of an app's success is security, so that people can trust your app when they use it. Parse already provides several tools to secure your app, including Access Control Lists (ACLs) for Parse Objects, Class-Level Permissions for each data table on Parse, and Cloud Code for even more in-depth security customizations. Today, we're excited to announce an update to our previous sessions functionality. With the new Enhanced Sessions feature, we're giving developers and people more control than ever over data security.
Prior to this launch, if a user logged into your app through multiple devices, this same session token was shared across all devices. This session token was not revocable, and upon logging out, the token was not destroyed.
Now, with Enhanced Sessions, the Parse Cloud will assign a unique revocable
Session object for each user on a given device for your specific app. This means different devices and web browsers will have different session tokens for the same user in your app. On mobile and web apps, you don't have to worry about creating and destroying sessions yourself. When users log in or sign up, the Parse Cloud automatically creates the corresponding
Session object. When users log out, the Parse Cloud automatically destroys the corresponding
Session object, which invalidates the session token that was previously assigned to that user's device.
We're also introducing a flexible Revocable Sessions API that lets you easily understand and securely manipulate user sessions in your app. You can see your app's
Session objects in your Parse account's Data Browser, just like any other Parse object. If a user contacts you about his or her account being compromised in your app, you can use the Data Browser, REST API, or Cloud Code to forcefully revoke user sessions using the Master Key. These new APIs also allow you build a “session manager” UI screen where your app's users can see a list of all devices they've logged in with, and optionally log out of other devices. This empowers people who use your app to help monitor and protect their accounts. In addition, for increased security, you can configure your app to automatically expire user sessions due to inactivity.
Today, we also announced Parse for IoT. The Revocable Sessions API lets you implement scenarios where people can use your app on their phone to provision restricted user sessions for their IoT connected devices. This not only allows IoT devices to securely access user data, but also protects your users' accounts in case their IoT device gets stolen. For example, the session token on an IoT device cannot be used to modify
User objects on Parse.
Session object in the Parse Cloud.
If you currently have a production app on Parse, we recommend that you upgrade to the new Revocable Sessions API as soon as possible to take advantage of the new, more secure model with unique tokens for each device, and the ability to easily revoke user session tokens when necessary. We've prepared a Session Migration Tutorial to help you upgrade your app smoothly.
For more about our Revocable Sessions API, please see our documentation.