Password-based encryption: keeping the user logged in without entering password again
Context
I have a system where some of user's data is encrypted via AES. Each user has their own key K. When the user creates an account, the K is generated and encrypted with a key derived from password via PBKDF2 (let's call this key P). This P(K) is stored in database and taken when logging in to be decrypted by P again.
There's a token system with refresh token stored in database and in user's http-only cookie. Every refresh token in DB is stored alongside the data about the user agent so all the active sessions from all devices can be identified and invalidated from account settings via a sessions manager.
Problem
In normal case, refresh token is used to keep the user logged in even after closing the tab and opening it again. But with this password based encryption system it's impossible to have K without knowing the P which is derived from password. That means either K or P needs to be stored either in cookies or in local storage. None of these variants seem to be safe to me, so I came up with an alternative solution I would like you to evaluate.
My Solution
When the user logs in, a "session key" S is generated. We make S(P) and store it in the database on server alongside the refresh token. Store S in localStorage.
This way, if S gets stolen, it will be useless on any other device but the one it was created on since the server won't give S(P) to decrypt as there's no refresh token and/or user agent data doesn't match. Also it will be possible to invalidate from session management panel as the S(P) will be deleted from database just like the refresh token. Password change will also lead to invalidation. If the database gets comprised, S(P) is also useless without S.
Would this approach be secure enough and wouldn't it be just as unsafe (or safe) as just storing P in localStorage? Maybe there's a different less complicated approach (though I don't find this one too complicated)
