Session handling & tracking

How CareNova creates, validates, refreshes, and tracks user sessions using Supabase SSR and the user_sessions table.

Written By Dev010

Last updated 19 days ago

CareNova manages authentication state using HTTP-only cookie sessions handled by @supabase/ssr. On top of Supabase's built-in session management, CareNova maintains its own user_sessions table for tracking active sessions, monitoring device activity, and enabling session revocation.

Session Creation

When a user successfully logs in, two things happen in parallel:

1. Supabase session cookie Supabase Auth generates a session token and stores it in an HTTP-only cookie via @supabase/ssr. This cookie is sent automatically with every subsequent request and is used to identify the authenticated user.

2. CareNova session record A record is inserted into the user_sessions table capturing the session context:

Column

Value Recorded

user_id

UUID of the authenticated user

session_token

Hashed session identifier

ip_address

IP address at time of login

user_agent

Full browser user agent string

device_info

Parsed device description

last_active_at

Timestamp of login

expires_at

Session expiry timestamp

is_revoked

false on creation

These two layers work together β€” Supabase handles the cryptographic session token, CareNova handles the operational tracking.

HTTP-Only Cookie Security

Sessions are stored exclusively in HTTP-only cookies.

Property

Value

Storage

HTTP-only cookie

JavaScript accessible

❌ No

Sent with every request

βœ… Automatically

Persists across page reloads

βœ… Yes

Vulnerable to XSS

❌ No

Because the session token is in an HTTP-only cookie, client-side JavaScript cannot read or modify it. This eliminates the entire class of XSS-based session theft attacks that affect applications storing tokens in localStorage.

Session Validation on Every Request

The Next.js middleware runs on every request to a protected route and calls updateSession() which performs the following: