Leave Localhost logoLeave LocalhostDocs
Security

Fresh Session

Fresh-session verification lets recently signed-in users clear low and medium-risk step-up checks without re-entering a credential.

A fresh session is the lightest of the three sensitive-action verification methods. If the user signed in recently enough, low and medium-risk actions clear without asking for anything extra.

How it works

Freshness is measured by the session creation time, not by activity. When requireSensitiveAction runs for a level-1 or level-2 action, it compares the current session's age against the fresh-session window in POLICY_BY_LEVEL (packages/backend/convex/security/sensitiveActions.ts). Within the window the action proceeds; outside it, the user is asked for a password or email code instead.

When it applies

  • Level 1 — a fresh session is sufficient on its own.
  • Level 2 — a fresh session, password, or email code all satisfy the check.
  • Level 3 and 4 — fresh session is never accepted; these always require an explicit password or email verification.

This keeps everyday friction low while ensuring the most destructive actions always demand a deliberate, current proof of identity.

Tuning

The fresh-session window lives in POLICY_BY_LEVEL. Shorten it to demand more frequent re-verification, or lengthen it to reduce friction. Helper logic is in security/freshSession.ts and security/sessionScope.ts.

On this page