Session Isolation
also known as Tenant Separation, Per-User State
Keep one user's session state and memory unreachable from another user's agent.
Context
A team is shipping an agent product to many users. Each user expects their conversation history, preferences, and any data they share to stay private to them. For cost and operational reasons, the backend shares some infrastructure across users — caches, vector stores, model contexts — rather than running a fully isolated stack per user.
Problem
A shared memory backend or a shared model context can leak one user's data into another user's response. A misindexed cache key returns user A's history to user B. A prompt-cache prefix that includes user-specific context is reused across users. A vector store query without per-user partitioning surfaces another user's documents as 'relevant'. Any of these is a privacy and security failure that can be much worse than an ordinary bug, because the leak may go unnoticed for a long time and the consequences for user trust and regulatory exposure are severe.
Forces
- Cache hits across users are tempting for cost; they break isolation.
- Auth scope must travel with every read and write.
- Multi-tenant prompt injection becomes a real attack surface.
Example
A multi-tenant assistant uses a shared vector cache across all users and one day a competitive-intelligence answer for tenant A surfaces in tenant B's context because the embedding match was strong. The team scopes every cache key, every memory backend read, and every prompt context to the per-user OAuth subject end-to-end. Cross-tenant contamination becomes structurally impossible rather than 'we hope it doesn't happen.'
Diagram
Solution
Therefore:
Session state is keyed by per-user identity (OAuth/JWT subject). Reads and writes carry that identity end-to-end. Caches are scoped per user. Prompts never include another user's content.
What this pattern forbids. No code path may read or cache user A's state under user B's identity.
And the patterns that stand alongside it, or against it —
- complementsShort-Term Thread Memory★★— Carry the relevant slice of conversation context across turns within a session.
- complementsInput/Output Guardrails★★— Validate inputs before they reach the model and outputs before they reach the user.
- complementsCross-Session Memory★★— Persist user-specific facts, preferences, and prior context across all sessions, threads, and devices.
- complementsTool Result Caching★★— Cache the result of expensive deterministic tool calls keyed by their arguments so repeat calls within a session return immediately.
- complementsPrompt Injection Defense★— Tag user-supplied or tool-supplied content as untrusted and refuse to follow instructions found inside it.
- complementsPII Redaction★★— Detect and remove personally identifiable information from inputs to and outputs from the model.
- complementsSecrets Handling★— Ensure the model never receives secrets in plaintext; tools resolve credentials from references at runtime.
- complementsSovereign Inference Stack★— Run the entire agent stack (model weights, inference, tool layer, vector stores, logs) inside a jurisdictional and operational boundary the operator controls, so no request, prompt, or output crosses into a third-party API.
- alternative-toMemory Extraction Attack✕— Anti-pattern: let any session prompt the agent to read out, summarise, or paraphrase long-term memory entries belonging to other users, prior sessions, or system state, with no read-time isolation by principal.
- complementsShadow AI✕— Anti-pattern: leave the corporate the model offering so restrictive, slow, or narrow that employees bypass it with personal accounts and unapproved agent tools, creating data leakage and ungoverned tool calls that security cannot see.
Neighbourhood
Click any neighbour to follow the language. Scroll to zoom, drag to pan.
Used in recipes
Used in frameworks
- LangChain
Threads scope short-term memory; storing state in graph state maintains separation between threads.
- LangGraph
Short-term memory is thread-scoped: each thread holds its own checkpointed state and message history; thread_id is required to scope persistence per session.
- LlamaIndex
Context is per-run and serializable across sessions; AgentWorkflow is stateless between runs by default. Downgraded from first-class — closer to per-run isolation than thread-scop…
- Botpress
Conversation-scoped variables auto-isolate per conversation and are deleted at end; bot/user/conversation scopes are explicit.
- Temporal
Each Workflow Execution has exclusive access to its local state; executions are uniquely identified and run concurrently and independently, communicating only via Signals and Acti…
- Sierra
Vendor describes per-customer context personalisation drawn from conversation history; ADP unifies what the company knows about a customer, but no published per-process runtime is…
- Browser Use
Browser Use Cloud advertises stealth Chromium sessions per agent run; local library uses standard Playwright contexts.
- Browserbase
Browser sessions are the unit of isolation; created, controlled and observed via API.
- LiveKit Agents
Each room gets its own job subprocess; the agent server boots a job subprocess per room with load balancing.
- mem0
Every read and write carries a user_id / agent_id / run_id; memories are keyed by identity for retrieval.
Show 6 more
- Rasa
Slots set inside a flow are reset when the flow ends — documented per-flow isolation; persistence requires opt-in via `persisted_slots`.
- Microsoft Bot Framework
Three predefined scoped state buckets (user / conversation / private-conversation), each keyed by channel-id plus user/conversation id.
- Comate (Wenxin Kuaima)
Enterprise edition isolates per-user sessions.
- Zep
Every thread belongs to a user; the per-user User Graph is the isolation boundary, and threadIds map to your business objects for further scoping.
- Marvin
Threads are per-conversation contexts that scope shared state; each thread maintains its own conversation history.
- OpenClaw
Self-hosted single-user by design; per-channel context maintained by the Gateway. No formal multi-tenant session-isolation API documented.
References
Provenance
- Source: patterns/session-isolation.md on GitHub · commit
4fa1213· view history - Added to catalog:
- Last updated:
- Contribute: open an issue or PR at github.com/agentpatternscatalog/patterns.