Skip to content
Prefactor Docs

Flows and sessions

Authentication isn’t a single event - it’s a process that involves multiple steps and creates ongoing relationships between users and systems. Understanding authflows and sessions is key to building secure applications.

What is an authflow?

Section titled “What is an authflow?”

An authflow is the complete process a user goes through to authenticate. It starts when a user attempts to log in and ends when they’re either successfully authenticated or the process fails.

Think of an authflow like a conversation between the user and the system:

  1. User says “I want to log in”
  2. System asks “Who are you and how can I verify that?”
  3. User provides their credentials
  4. System verifies the credentials
  5. System either grants access or denies it

The authflow process

Section titled “The authflow process”

Initiation

Section titled “Initiation”

The authflow begins when:

  • A user clicks “Log in” on your application
  • An unauthenticated user tries to access protected content
  • A user’s session expires and they need to re-authenticate

User interaction

Section titled “User interaction”

During this phase, the system:

  • Presents the appropriate login interface
  • Collects the user’s credentials (username, password, etc.)
  • May request additional factors for multi-factor authentication
  • Handles user input validation and error messages

Factor collection and validation

Section titled “Factor collection and validation”

The system:

  • Verifies each authentication factor
  • Checks passwords against stored hashes
  • Validates time-based tokens
  • Handles failed authentication attempts

Decision making and completion

Section titled “Decision making and completion”

Finally, the system:

  • Determines if authentication was successful
  • Creates a session if authentication succeeds
  • Redirects the user to the appropriate page

What is a session?

Section titled “What is a session?”

A session represents the ongoing relationship between an authenticated user and your application. It’s like a temporary ID card that proves the user has been authenticated and allows them to access protected resources.

Session lifecycle

Section titled “Session lifecycle”

Creation

Section titled “Creation”
  • Created when authentication succeeds
  • Assigned a unique session identifier
  • Linked to the user’s identity
  • Set with an expiration time

Maintenance

Section titled “Maintenance”
  • Session remains active while the user is using the application
  • Can be extended through user activity

Termination

Section titled “Termination”

Sessions end when:

  • User explicitly logs out
  • Session expires due to inactivity
  • Session is revoked for security reasons
  • User’s account is deactivated