Code Room
System designHardsd-g687
Subject AuthenticationLevel Senior–Staff~40 minCommon in Security interviewsIndustries Technology

Question

Design a session-management service for a platform with 100M users and 300 microservices. It must validate a session on every request (2M validations/s) with under 5ms p99, support immediate revocation on logout / password change / detected compromise, allow multiple concurrent sessions per user with per-device visibility, and survive a regional outage. Threat model: stolen session tokens, token replay across regions, and an attacker trying to keep a session alive after the user revokes it. Cover the token format, the stateful-vs-stateless trade-off, revocation propagation, and multi-region behavior.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.