Skip to content

Instantly share code, notes, and snippets.

@12fahed

12fahed/firebase-auth-session-management-proposal.md

Created January 4, 2026 08:16
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save 12fahed/42e802890b5b887b93c66d94ceadeb2d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save 12fahed/42e802890b5b887b93c66d94ceadeb2d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
firebase-auth-session-management-proposal.md

Proposal: Session Management & Device Visibility for Firebase Authentication

Overview

Firebase Authentication is widely used for secure and scalable authentication across web and mobile platforms. However, Firebase Auth currently lacks first-class session management and device-level visibility, which are now standard expectations for modern applications.

This proposal suggests introducing optional Session Management for Firebase Auth, enabling developers to view, manage, and revoke login sessions across devices using Firebase Admin SDK and (optionally) Client SDKs.

Problem Statement

Firebase Authentication today provides:

  • Token-based authentication (ID tokens, refresh tokens)
  • Global refresh-token revocation
  • Basic user metadata (lastSignInTime, creationTime)

However, it does not provide:

  • Visibility into active login sessions
  • Information about device type, OS, or platform
  • Approximate geographic context of logins
  • Per-session logout capability
  • Session-level last active timestamps

As a result, developers must build and maintain custom infrastructure for session tracking, increasing complexity and introducing inconsistent security implementations.

Proposed Feature: Firebase Auth Session Management (Opt-in)

1. Session Creation per Login

Each successful authentication creates a session object associated with the user.

A session would include:

  • sessionId
  • uid
  • createdAt
  • lastActiveAt
  • status (active / revoked / expired)
  • Authentication method (password, OAuth provider, SSO, etc.)

2. Device & Platform Metadata (Derived from User-Agent)

Firebase Auth should optionally capture sanitized, structured metadata derived from the User-Agent header at login time.

Example Metadata (Privacy-Safe)

  • Device category

    • Desktop / Mobile / Tablet

  • Operating system

    • Windows, macOS, Linux, Android, iOS

  • OS version (optional, coarse-grained)

  • Browser or runtime

    • Chrome, Firefox, Safari, Edge
    • Android WebView
    • iOS App

  • Application type

    • Web
    • Android App
    • iOS App

Raw User-Agent strings should not be exposed to clients. Firebase should internally parse and normalize this data into structured fields.

This aligns with how many platforms already process User-Agent headers for analytics and security while preserving privacy.

3. Approximate Location Information

Each session may include approximate location data, derived from IP at login time:

  • Country
  • Region / State (optional)
  • City (optional)

Privacy considerations:

  • No raw IP addresses exposed
  • Approximate resolution only
  • Configurable granularity or full opt-out

4. Session Visibility & Management APIs

Admin SDK Capabilities

Provide new Admin SDK APIs to:

admin.auth().listUserSessions(uid)
admin.auth().revokeSession(uid, sessionId)
admin.auth().revokeAllSessions(uid)
admin.auth().revokeAllExcept(uid, currentSessionId)

Admins can:

  • Inspect all active sessions
  • Identify suspicious or unused sessions
  • Revoke sessions selectively

Client SDK (Optional / Read-Only)

Allow developers to expose a “Logged-in Devices” UI for end users.

Each session could display:

  • Device type & OS (e.g., Windows · Chrome)
  • Approximate location (e.g., Mumbai, India)
  • Last active time
  • Current session indicator
  • Logout button (per session)

5. Last Active Tracking

Firebase Auth updates lastActiveAt when:

  • Refresh tokens are used
  • Tokens are validated beyond a configurable interval

This enables:

  • Detection of inactive sessions
  • Auto-expiry rules
  • Better security auditing

Privacy & Security Design

  • Feature is opt-in per Firebase project

  • Developers control:

    • Session retention duration
    • Location granularity
    • Client visibility

  • No sensitive raw headers or IP addresses exposed

  • Client SDK can only access own user’s sessions

  • Admin SDK has full control

Why This Feature Is Important

For Developers

  • Eliminates custom session-tracking implementations
  • Simplifies security features like “Log out from other devices”
  • Reduces backend complexity and bugs

For End Users

  • Transparency into account usage
  • Improved account security
  • Familiar UX seen in major platforms

For Firebase

  • Closes a major feature gap vs Auth0, Cognito, and enterprise IdPs
  • Makes Firebase Auth viable for security-sensitive SaaS and enterprise apps

Comparable Platforms

Platform Device Info OS Info Per-Session Logout
Google Account
Auth0
AWS Cognito ⚠️ Limited ⚠️ Limited ⚠️ Limited
Firebase Auth

Suggested Rollout

  1. Admin SDK support first
  2. Opt-in via Firebase Console
  3. Client SDK read-only support
  4. Gradual rollout with quotas and pricing tiers if needed

Conclusion

Introducing session management with device, OS, and approximate location visibility would significantly enhance Firebase Authentication’s security and usability. By deriving structured metadata from User-Agent headers in a privacy-safe manner, Firebase can provide enterprise-grade session control while maintaining its simplicity-first philosophy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment