DataHandler.AccountsWithSessions
AccountsWithSessions — Production-Grade Local Authentication & Session System
A complete, offline-capable, cryptographically sound user authentication and session management system for .NET desktop applications.
Used as the core identity engine in the DataRequest ecosystem and SecretManager vaults.
Security Guarantees
- Passwords hashed with Argon2id (8 MiB memory, 4 iterations, 64-byte salt)
- All sensitive values stored encrypted under per-user 256-bit data encryption key
- Data encryption key encrypted under user password
- Recovery key (offline reset) encrypted under data encryption key
- Session tokens: 64-byte random key + 32-byte ID, encrypted + tamper-protected
- Full sliding session expiry with encrypted consistency checks
- Rate-limited recovery with configurable lockout (default: 5 fails → 20 min)
- Zero plaintext secrets in memory (SecureData used everywhere)
- All file updates atomic via JSONDataHandler
Types
ActiveSession
Encrypted session record stored in Users.json → "Sessions"
- string Username
- string SessionID (random 32-char)
- string SessionKey — encrypted under user’s data encryption key
- string Expiry — ISO-8601 UTC expiry
- string IsTrusted — encrypted payload: Expiry|IsTrustedFlag
- string ChecksAndLastTry — encrypted payload: FailedRecoveryCount|LastAttemptUtc
ConnectedSessionReturn
Decrypted session object returned to caller (all fields SecureData)
- Username, SessionKey, SessionID, Directory
SecuritySettings (static)
Global configuration — must be initialized before first use
public static SecureData PublicKey { get; private set; } // Required — set via SetPublicKey()
public static double ExpiryDuration { get; private set; } = 540; // 9 hours
public static double TrustedExpiryDuration { get; private set; } = 20160; // 14 days
public static int FailRecoveryCheck { get; private set; } = 5;
public static double TimeToNextRecovery { get; private set; } = 20;