public void OnAuthorization(AuthorizationFilterContext context)
 {
     if (context.ActionDescriptor.GetCustomMethodAttribute <AllowWithoutSession>() == null)
     {
         if (!context.HttpContext.Request.Headers.TryGetSessionId(out var sessionId))
         {
             throw new InvalidSessionException("No \"SessionId\" set in the token's claims.");
         }
         if (!_sessionTracker.IsActive(sessionId))
         {
             throw new InvalidSessionException($"Session with id \"{sessionId}\" is not active.");
         }
         _sessionTracker.SetLastActive(sessionId, DateTime.UtcNow);
     }
 }