Links

Own session management

The following documentation provides a detailed explanation how Corbado can be used with your own session management. If you build a new application without existing users, we strongly recommend to use Corbado’s session management, as this will save you a lot of implementation time and is a proven solution.
To use your own session management, you have to switch the toggle in the Corbado developer panel "Settings" - "Sessions". Otherwise, your Redirect URL will not receive the corbadoAuthToken.

Overview

Own session management overview

1. Get and validate corbadoAuthToken

After successful authentication, e.g. passkeys or email magic link, Corbado redirects the user to the Redirect URL that you have defined in the developer panel.
The Redirect URL will be appended with a GET parameter (query string) called corbadoAuthToken (e.g. https://www.acme.com/corbado?corbadoAuthToken=<tokenValue>). This token is valid for five minutes and can only be used once.
To proceed, you need to validate this token:
PHP
Node.js (Express)
Other
Create an instance of the Backend SDK (private client) first.
1
$corbadoAuthToken = $_GET['corbadoAuthToken'];
2
$remoteAddress = $_SERVER['REMOTE_ADDR'];
3
$userAgent = $_SERVER['HTTP_USER_AGENT'];
4
5
try {
6
$request = new \Corbado\Generated\Model\AuthTokenValidateReq();
7
$request->setToken($corbadoAuthToken);
8
$request->setClientInfo(\Corbado\SDK::createClientInfo($remoteAddress, $userAgent));
9
10
/** @var \Corbado\Generated\Model\AuthTokenValidateRsp $response */
11
$response = $corbado->authTokens()->authTokenValidate($request);
12
13
// ...
14
15
} catch (\Corbado\Generated\ApiException $e) {
16
// Handle exception (access $e->getResponseBody() for more details)
17
} catch (Throwable $e) {
18
// Handle exception
19
}
Create an instance of the Backend SDK (private client) first.
exports.corbadoAuthenticationHandler = async function(req, res) {
let corbadoAuthToken = req.query.corbadoAuthToken;
let clientInfo = corbado.utils.getClientInfo(req);
corbado.authToken.validate(corbadoAuthToken, clientInfo)
.then(response => {
// ...
}
// ...
}
There should be no origin header set for the API call from your backend to Corbado's AuthTokenValidate Backend API endpoint.
clientInfo extracts the information from an HTTP request object - specifically, the client's IP address (remoteAddress) and browser/OS details (userAgent).
The client's IP can is obtained by checking the 'x-forwarded-for' header first - this is common when clients connect via an HTTP proxy or load balancer. If present, it extracts the first IP from either an array or string format of the header. If the 'x-forwarded-for' header is absent, the function resorts to the IP address from the remote socket:
{
remoteAddress: string,
userAgent: string
}

2. Get user data and generate own session

Next you can get user data from the response and create a session:
PHP
Node.js (Express)
// ...
session_start();
$_SESSION['userID'] = $response->getData()->getUserId();
header('Location: /');
exit(0);
exports.corbadoAuthenticationHandler = async function(req, res) {
// ...
corbado.authtoken.validate(corbadoAuthToken, clientInfo)
.then(response => {
let userID = response.data.userID;
let token = jwt.sign({ userId: user.id }, process.env.JWT_SECRET_KEY, { expiresIn: '1h' });
res.cookie('jwt', token, { httpOnly: true, maxAge: 3600000 });
res.redirect('/profile');
.catch(err => {
console.error(err)
res.status(500).send('Server Error');
})
}