- session state is not maintained in Optimize instances (no stored expiry date)
- session validity is purely based on the JWT encrypted with a secret
- expiration of session is based on the JWT creation time
- secret used to encrypt the JWT is configurable, config value defaults to null for which the application generates a random secret on startup used to encrypt all tokens
- new login with same credentials doesn't kill existing sessions for same credentials
Currently user sessions are stored and their lifetime maintained inside SessionService. This blocks us from providing easy clustering support regardless of the load-balancer policy used, as a session created by one particular Optimize instance is only valid in that exact instance.