Session Management and Security

18 minute readLast updated: January 2025

Session management is critical for maintaining account security while providing convenient access for your users. This guide covers monitoring active sessions, implementing security policies, and managing user access across devices.

Understanding Sessions

What is a Session?

A session represents:

  • Active user login instance
  • Device and browser combination
  • Authentication state
  • Temporary access grant
  • Security context

Session Components

Each session includes:

  • Session Token - Unique, encrypted identifier with time-limited validity
  • Session Metadata - User info, device details, location, and activity timestamps

Security Tip: Each session is isolated and encrypted. Even if someone gains access to a session token, they cannot extract your password or access other sessions.

Viewing Active Sessions

User Session View

Users can monitor their own sessions:

  1. Click profile icon
  2. Select "Security"
  3. Choose "Active Sessions"
  4. Review session list

Session details include:

  • Device type (Desktop/Mobile/Tablet)
  • Browser and version
  • Operating system
  • IP address and approximate location
  • Login time and last activity
  • Current session indicator

Administrator View

Admins have enhanced visibility:

  • View all user sessions across the account
  • Filter by user, date, device, or location
  • See session duration and activity counts
  • Identify abnormal activity patterns
  • Access detailed audit logs

Session Security Policies

Session Duration

How long users stay logged in

Default: 30 days

15 days30 days90 days180 days

Idle Timeout

Logout after period of inactivity

Default: Optional

15 minutes30 minutes60 minutes24 hours

Concurrent Sessions

Number of simultaneous logins

Default: Unlimited

Single session3 sessions5 sessionsUnlimited

Remember Me

Extended sessions for trusted devices

Default: 90 days

Disabled30 days90 days180 days

Managing Sessions

Revoking Sessions

Individual Session Revocation:

  1. View active sessions
  2. Find the session to revoke
  3. Click "End Session"
  4. Confirm revocation
  5. Session terminated immediately

Bulk Revocation:

For security incidents or account compromises:

  • Select multiple sessions or "End All Sessions"
  • Exclude current session (optional)
  • Force all users to re-authenticate

Important: When forcing a logout, notify affected users in advance if possible. Have support ready to assist with re-authentication issues.

Advanced Security Features

Enhance your security posture with these advanced session controls:

🌍

Geographic Restrictions

Limit access by country or region

  • Whitelist countries
  • Block high-risk regions
  • VPN detection
  • Travel exceptions

Time-Based Access

Restrict login to specific hours

  • Business hours only
  • Timezone handling
  • Weekend policies
  • Holiday schedules
📱

Device Trust

Register and require trusted devices

  • Device fingerprinting
  • Trust expiration
  • Unknown device alerts
  • Device limits
🛡️

Risk Detection

Identify suspicious activity

  • Impossible travel
  • Unusual locations
  • Abnormal hours
  • High activity volume

Session Monitoring

Activity Tracking

All session activities are logged:

  • Login attempts (successful and failed)
  • Page views and navigation
  • Data access and modifications
  • Configuration changes
  • Export and download actions
  • API calls and integrations

Anomaly Detection

Automatic detection of suspicious patterns:

  • Impossible travel - Logins from distant locations within impossible timeframes
  • Unusual hours - Access outside normal patterns
  • High activity - Abnormal volume of actions
  • New locations - First-time access from countries or regions

Security Alerts

Configure real-time notifications for:

  • New device logins
  • Location changes
  • Multiple failed login attempts
  • Concurrent login attempts
  • Password or security setting changes

Device Management

Trusted Devices

Simplify access for regular devices:

  1. During login, select "Trust this device"
  2. Device fingerprint is created
  3. Reduced authentication requirements apply
  4. Longer session duration permitted

Managing trusted devices:

  • View all trusted devices in security settings
  • Revoke trust status anytime
  • Set automatic trust expiration
  • Require periodic re-verification

Best Practice: Encourage users to regularly review their active sessions and trusted devices. Set up quarterly reminders for security reviews.

Session Security Best Practices

For Users

  1. Regular Review - Check sessions monthly for unknown devices
  2. Device Hygiene - Always logout from shared devices
  3. Suspicious Activity - Report immediately and change password
  4. Use MFA - Enable multi-factor authentication for added security

For Administrators

  1. Policy Configuration - Balance security with user convenience
  2. Regular Audits - Review session patterns quarterly
  3. Incident Response - Have clear procedures for security events
  4. User Education - Train users on session security

Troubleshooting

Unexpected Logouts

  • Check idle timeout settings
  • Verify session limit hasn't been reached
  • Review security policies for triggers
  • Check browser settings and extensions

Cannot End Session

  • Refresh the session list
  • Clear browser cache
  • Try a different browser
  • Contact support if issue persists

Session Errors

  • "Session Expired" - Normal timeout or security trigger
  • "Too Many Sessions" - Limit reached, end unused sessions
  • "Invalid Session" - Corrupted token, fresh login required

Next Steps

Enhance your security posture with these related features:

Authentication Settings

Configure login methods and MFA

Security Best Practices

Comprehensive security guide

Related Articles

Authentication Configuration

Set up secure authentication methods and policies.

Multi-Factor Authentication

Add an extra layer of security with MFA.

Audit Logging

Track and monitor all security events.