femto-backend/Femto.Docs/Design/Auth/strong_vs_weak_session.md

Strong vs weak sessions

a strong session is one that should have the power to do account level admin tasks like change password

a weak session has strictly fewer privileges than a strong session

where to get a strong session

a strong session is created when a user provides a username and a password. a session remains strong until it is refreshed, at which point it becomes weak.

where to get a weak session

A weak session is any session that has not been directly created by user credentials, i.e.:

• short-term session refresh
• long-term session refresh