miniOrange Logo

Products

Plugins

Pricing

Resources

Company

Shopify User Session Management

Shopify Case studies for User session management and adaptive authentication. Restrict Multiple Login by terminating existing session of users in Store.

Updated On: Oct 26, 2023

What is a Session?

Let’s first understand how a web application or website like Shopify Store handles user access. Generally, there are three layers of security mechanisms:

  • Authentication
  • Session management
  • Access control

Using these mechanisms the Store makes the user communicate with the server so that the communication is secured and no attacker can trap the communication. When a user/customer signs in to a store, the server does not know who the person behind the system is. To solve this problem the server creates a session for that user and that session is used across several web pages. The server also creates sessions to keep track of anonymous users after their very first request.

Session management in Shopify

In Shopify, once the session has been established a session ID is generated and is sent to the user browser. This Shopify session token enables the store to maintain an authenticated state and monitor user activity. The session ID is very important for Shopify user session management and is shared between the user and the application until the session ends.

However, attackers or hackers can attempt to launch an attack on the active session and hijack it, so it is mandatory to set expiration timeouts for every session. The shorter the session interval is, the lesser the time an attacker has to use the valid session ID.

If the user logs out from the Store or remains inactive for a certain time, the session will expire. Common scenarios when the user state changes from authenticated to unauthenticated include password changes, permission changes, etc. If that happens, the old session ID must be terminated, and a new Shopify session token will be used for all further requests made to the Store application.

If you are logged in to your Store admin on a device, sessions from that device aren’t counted as online store sessions.

Why do we need Adaptive Authentication?

Improper Shopify user session management or weak authentication can allow attackers to compromise accounts by stealing passwords or session tokens. Many development frameworks offer tools for secure implementation of session management, but there are weaknesses in many of these solutions. By implementing adaptive authentication we can remove this hassle. Adaptive authentication provides an additional layer of multi-factor authentication security based on risk and access provided by security administrators.

What is Adaptive Authentication?

Adaptive authentication refers to a type of multi-factor authentication that dynamically selects authentication methods based on the user’s risk profile. For instance, it may prompt MFA based on factors such as login behavior, device IP, geo-location, etc. This improves security for Shopify online store sessions while offering a tailored user experience.

Adaptive Authentication in Shopify

When a user signs in to a store, the security component is increased through adaptive authentication, by automatically triggering real-time MFA if risks like fraud or improper authentication are detected. The authentication risk is checked without users being aware of it and multi-factor authentication (MFA) is applied only if the associated risk is high.

adaptive-authentication

Adaptive authentication adapts to the risk level and presents an appropriate level of authentication regardless of your corporate risk levels. Adaptive Authentication solutions can strengthen the authentication methods based on a wide variety of factors including:

  • Source IP address
  • Time of day
  • Geo-location (physical location)
  • Entity type (device type)
  • Content-Based

During online store sessions, Shopify evaluates every request and assigns a risk score. Depending on the risk score, the user may be required to provide additional authentication factors to prove their identity.

For Shopify stores with team-based operations, employee session management allows admins to assign roles and permissions. This ensures employees have appropriate access while preventing unauthorized actions.

For example, if a user tries to access the Store via multiple devices, they may be asked to sign out from other devices. Likewise, if the user tries to log in from a geographical location other than their office, they may have to verify their identity by answering a security question. By integrating adaptive authentication with Shopify user session management and employee session management, store owners can ensure security without compromising user convenience.

Session Management and Adaptive Authentication Use Cases

Terminate user session and prevent multiple logins from same user at a time

Consider that you are using Shopify to sell streaming videos that can only be accessed after purchasing the subscription. Customers may attempt to share their login credentials with others, allowing multiple users to access the content simultaneously.

As a store owner, you would like to discourage users from sharing their credentials and restrict customer account so that only one user will be able to log in from one device at a time.

Assume the customer is already logged in from one device. When some other user tries to log in using the same credentials from another device then you would like to do one of the following:

  • Prompt the user to log out from the first device and block login from the second device until the user successfully logs out from the first device.

  • Terminate the session on the first device without alerting the user and log the user in from the second device by creating a new session.

Using tools like the miniOrange app, you can restrict the number of devices that can access a Shopify store account simultaneously.

In practice it will look like this: When ‘Device A’ logs in to the store, a session is established. If ‘Device B’ tries to log in using the same credentials, all sessions will be revoked. Shopify session token for ‘Device A’ will be invalidated and the user in from ‘Device B’ will be logged in with a different session.

This feature helps prevent multiple logins from same user, enhancing store security.

Lock down the account to one location at a time

You are an owner of a Shopify store where you sell car accessories.

Customers from all over the world are ordering the products from your store but you are able to ship the products only to some countries. Since your shipping capabilities are limited to specific countries, you want to prevent users from non-serviceable locations from accessing your store.

location-restriction

Using location-based adaptive restriction, the admin can select the list of countries from where they don’t want the end-users to log in. During the login process, the user’s geolocation, IP address, latitude, and longitude will be checked against the list of locations selected by the administrator. Based on that, access to Shopify online store sessions can be granted or denied.

By using this approach to online store sessions Shopify can enforce strict location-based access control and ensure compliance with your shipping policies.

 

Restricts access to Shopify online store session on several devices for a single account

Suppose you own a Shopify store where you provide a streaming service that offers a wide variety of TV shows, movies, anime, documentaries, etc. to the end-users on a subscription basis. A user logs in to the store and purchases a plan and shares his account credentials with some of his friends so that they can access the store without purchasing any plan. However, you have to take action against that customer asking them not to share their login info with friends, which is a challenging customer service task.

In this scenario, you would like to restrict the customer account to be able to log in from one device, or several devices depending upon the plan he has purchased. You want to discourage customers from sharing their accounts and prevent multiple logins from same user at the same time to access the content.

device-restriction

The administrator can ask the end-user to add a fixed number of trusted devices from where they can access their account. If the end-user tries to log in to the store from the trusted/registered device then access will be provided to them. However, if they try to use an unregistered device to initiate an online store sessions Shopify will not grant access.

This ensures streamlined Shopify user session management and prevents misuse of shared credentials.

 

Limit Number of Sessions / Purchases for Single Customer or household

Consider a scenario where you own a Shopify store to sell branded products such as T-shirts, pants, caps, etc. to any user residing in any country. You are offering to free delivery on the first purchase. However, customers from a single household may try to exploit this by creating multiple accounts on multiple devices to avoid the delivery fees.

To prevent this, our app will allow you to limit the connections to the store by using IP- restriction. If the customer is connected to the same network then the IP address will be the same for every device on that network. The admin can restrict the user from accessing the store by adding that IP address to the list of blocked IPs.

ip-restriction

Any attempt to connect to your store will be blocked unless the connection was initiated from the new IP address. Our additional feature “Block access from VPN” will also help restrict customer access if they are using a VPN to disguise their IP address and login into their account.

Effective Shopify user session management and adaptive authentication can greatly enhance the security and user experience of your store. From preventing multiple logins to restricting location-based access to limiting device registrations, miniOrange’s solution will help you ensure that your Shopify online store sessions remain secure.

author profile picture

Author

miniOrange

Leave a Comment

    contact us button