sdamico · joelev · Mar 3, 2026
diff --git a/api/_lib/auth.js b/api/_lib/auth.js
@@ -21,7 +21,9 @@ async function getSession(req) {
   const { rows } = await sql`
     SELECT id, email, created_at, last_seen
     FROM sessions
-    WHERE id = ${sessionId} AND created_at > NOW() - INTERVAL '7 days'
+    WHERE id = ${sessionId}
+      AND created_at > NOW() - INTERVAL '7 days'
+      AND last_seen >= created_at
   `;
   if (rows.length === 0) return null;
 

diff --git a/api/logout.js b/api/logout.js
@@ -12,10 +12,14 @@ module.exports = async (req, res) => {
 
   const cookies = parseCookies(req.headers.cookie || '');
 
-  // Delete viewer session from DB before clearing cookie
+  // Revoke viewer session without deleting the row so FK-linked analytics remain intact.
   const sessionId = cookies['site-auth'];
   if (sessionId) {
-    await sql`DELETE FROM sessions WHERE id = ${sessionId}`;
+    await sql`
+      UPDATE sessions
+      SET last_seen = created_at - INTERVAL '1 second'
+      WHERE id = ${sessionId}
+    `;
   }
 
   // Delete admin session from DB before clearing cookie