Currently sessions are only stored in Infinispan, and are often lost in terms of not using remember me, or idle out. What we really want is more long-lived and durable sessions.

Take as an example mobile applications where people want to be logged-in more or less permanently. Rather, than expiring sessions we should rather look at re-validating users.

Similarly for regular browser sessions removing the sessions is somewhat problematic as it looses are ability to continuously verify a user. It is much better to "re-establish" an existing session through re-authentication, than to start completely from scratch.

Not sure exactly how this should look like in practice, but mostly opening this as a discussion topic.

I could imagine something along the lines of detecting devices used by users, and attaching a device to a permanent session associated with a user. Detecting a device can be done through a permanent cookie, but ideally would be something that lives even beyond that.

It would require a slightly different approach to sessions where they should be able to scale more, and have a slight different take on how to "garbage collect" them. Then verify sessions validity not just based on if they exist or not, but more in terms of when the session was last verified (re-authentication). At the same time limiting users to one session per-device (a device in this regard is really a browser, rather than a physical device as it is not expected that two browsers on the same machine is shared. Further if we can match the session with the device we have additional ways to lock down a given session.