Enhancing Pinner security with login emails and revoking sessions

Pinterest Engineering
3 min readintermediate
--
View Original

Overview

The article discusses enhancements made to Pinterest's security measures, specifically the introduction of email notifications for new logins and the ability for users to view and revoke active sessions. These features aim to provide users with greater control over their account security.

What You'll Learn

1

How to receive email notifications for new logins on Pinterest

2

How to revoke active sessions from your Pinterest account

3

Why using a Session Manager is crucial for session validation

Key Questions Answered

How does Pinterest notify users of new logins?
Pinterest sends an email notification to users whenever there is a login from a new device or location. This feature is part of their enhanced security measures to keep user accounts safe.
What is the role of Session Manager in Pinterest's security features?
Session Manager is a Java service responsible for storing and validating user sessions. It validates each request and allows users to revoke sessions, enhancing account security.
How can users revoke unwanted sessions on Pinterest?
Users can view their active sessions in the 'Security' section of their settings and can revoke any unwanted session by clicking the 'End Activity' button.
What happens when a new login is detected on Pinterest?
When a new login is detected, an asynchronous job is triggered to check if the login is from a new device or IP address, and an email is sent to the account owner to inform them.

Key Statistics & Figures

Number of logins per day
a few million
This statistic highlights the volume of login events that the email notification system must handle.
Session validation requests per second
150k+
This demonstrates the high demand on the Session Manager for validating user sessions.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Backend
Java
Used for the Session Manager service that handles user session storage and validation.
Backend
Thrift
Used as the interface for the API to validate sessions.
Backend
Pinlater
An asynchronous job execution system used for dispatching email notifications.

Key Actionable Insights

1
Implement email notifications for new logins to enhance user security.
This feature allows users to be immediately aware of any unauthorized access attempts, enabling them to take action quickly.
2
Encourage users to regularly check their active sessions and revoke any that seem suspicious.
This proactive approach helps users maintain control over their accounts and prevents unauthorized access.
3
Utilize a Session Manager for efficient session validation and management.
Having a dedicated service like Session Manager ensures that session handling is scalable and secure, especially for high-traffic applications.

Common Pitfalls

1
Failing to monitor active sessions can lead to security breaches.
Users may overlook the importance of regularly checking their active sessions, which can result in unauthorized access remaining undetected.