Session Management
The Session Management page provides full visibility into all active user sessions across your tenant. Administrators can monitor who is logged in, from which devices and locations, revoke individual or bulk sessions, and configure session lifetime policies that control how long users stay authenticated.
Auris tracks sessions across all authentication methods, including password-based login, magic links, social login, SSO, and M2M tokens. Each session records the device, IP address, authentication method, and MFA status.
Access session management via Console -> Settings -> Sessions.
You can also view sessions for a specific user at Console -> Users -> [user] -> Sessions tab.
Session Statistics
The Sessions page displays four summary cards at the top of the page:
| Statistic | Description |
|---|---|
| Active Sessions | Total number of sessions that are currently valid (not expired or revoked) |
| Unique Users | Number of distinct users with at least one active session |
| Created (24h) | Sessions created in the last 24 hours |
| Revoked (24h) | Sessions manually revoked by an administrator in the last 24 hours |
These statistics update automatically when the page loads. Use them to get a quick overview of authentication activity and spot anomalies such as unusual spikes in session creation.
Session List
Below the statistics, a table lists all sessions with the following columns:
| Column | Description |
|---|---|
| User | Email address and display name of the authenticated user |
| Device | Browser and operating system parsed from the user agent string |
| IP Address | The IP address from which the session was created |
| Auth Method | How the user authenticated: password, magic_link, social, sso, m2m |
| Created | When the session was created (absolute timestamp with relative time tooltip) |
| Last Activity | When the session was last used to make an authenticated request |
| Status | Active, Expired, or Revoked |
The table supports sorting by any column. Click a column header to toggle ascending and descending order.
Filtering Sessions
Use the filter controls above the session table to narrow down the list:
| Filter | Options | Description |
|---|---|---|
| Search | Free text | Filter by user email or name |
| Auth Method | password, magic_link, social, sso, m2m | Show only sessions created with a specific authentication method |
| Status | active, expired, revoked | Show only sessions in a specific state |
Filters can be combined. For example, search for a user’s email and filter by active status to see only their current sessions.
Expired sessions are retained in the list for 30 days for auditing purposes. After 30 days, they are automatically purged from the database.
Session Detail
Click any session row to expand it and view the full session details:
| Field | Description |
|---|---|
| Session ID | Unique identifier for the session |
| User Agent | The full user agent string from the browser or client |
| IP Address | Source IP with GeoIP location (city, country) if available |
| Auth Method | The authentication method used to create the session |
| MFA Status | Whether multi-factor authentication was completed during this session |
| ACR Claim | Authentication Context Class Reference value in the session’s tokens |
| AMR Claim | Authentication Methods Reference array (for example, ["pwd", "otp"]) |
| Created At | Exact timestamp when the session was created |
| Last Activity | Exact timestamp of the most recent authenticated request |
| Expires At | When the session will automatically expire based on session policy |
The ACR and AMR claims are useful for verifying that sessions meet the required authentication assurance level, especially when step-up authentication or adaptive MFA is configured.
Revoking Sessions
Revoke a single session
In the session table, find the session you want to revoke and click the Revoke button on that row. A confirmation dialog appears. Click Confirm to revoke the session immediately.
Revoke all sessions for a user
Navigate to Console -> Users -> [user] -> Sessions tab. Click the Revoke All Sessions button at the top of the sessions list. All active sessions for that user are revoked immediately.
Understand the effect of revocation
When a session is revoked:
- The refresh token is invalidated immediately. The user cannot obtain new access tokens.
- The access token remains valid until it naturally expires (default: 15 minutes). This is standard behavior for JWT-based authentication, since access tokens are verified locally without a server round-trip.
- The user is effectively logged out once their current access token expires and the refresh attempt fails.
If you need to terminate access immediately (for example, during a security incident), revoke the session and also consider reducing the access token expiry in your session policies. For truly instant revocation, applications must implement token introspection or use short-lived access tokens (for example, 1 minute).
Session Policies
Session policies control the lifetime and behavior of user sessions. Configure these at Console -> Settings -> Sessions -> Policies tab.
| Setting | Description | Default |
|---|---|---|
| Session Max Lifetime | The absolute maximum duration a session can exist, regardless of activity | 24 hours |
| Idle Timeout | The session expires after this period of inactivity (no authenticated requests) | 1 hour |
| Access Token Expiry | How long an access token is valid before the client must refresh it | 15 minutes |
| Refresh Token Expiry | How long a refresh token is valid. After this, the user must re-authenticate | 7 days |
| Max Concurrent Sessions | Maximum number of active sessions per user. Set to 0 for unlimited | 5 |
| Require MFA for Admin Roles | Whether users with admin roles must complete MFA to create a session | Yes |
Adjust policy values
Modify the settings in the policy form. Each field shows the current value and the system default for reference.
Save policies
Click Save. New policy values apply to all sessions created after the save. Existing sessions continue to use the policy values that were active when they were created.
Changing session policies does not retroactively affect existing sessions. If you reduce the max lifetime from 24 hours to 8 hours, sessions already created with a 24-hour lifetime continue to be valid for their original duration.
Concurrent Session Enforcement
When the Max Concurrent Sessions limit is reached and a user creates a new session, Auris automatically revokes the oldest active session for that user to make room for the new one.
How it works:
- User has 5 active sessions (the configured maximum)
- User logs in from a new device, creating session #6
- Auris identifies the oldest session (by creation time) and revokes it
- The new session is created successfully
- The user on the oldest device is logged out on their next token refresh
This ensures users are never prevented from logging in, while keeping the total number of active sessions bounded.
Setting the limit to 0 (unlimited) disables concurrent session enforcement entirely. Use this only if your application has no security requirement for session limits.
Session Lifecycle
A session moves through the following states:
- Created -> Active: The session is created upon successful authentication. It becomes active immediately.
- Active -> Expired: The session expires when either the max lifetime is reached or the idle timeout elapses without any authenticated requests.
- Active -> Revoked: An administrator manually revokes the session, or it is automatically revoked due to concurrent session enforcement.
Once a session is in Expired or Revoked state, it cannot be reactivated. The user must authenticate again to create a new session.
API Reference
Session management is available via the REST API for programmatic access and automation.
/api/sessions/api/sessions/:id/api/sessions/:id/api/sessions/revoke-all/api/sessions/stats/api/sessions/policies/api/sessions/policiesPermissions
| Permission | Description |
|---|---|
manage:sessions | Required to view the session list, view session details, and revoke sessions. Also required for the session statistics dashboard. |
manage:security_settings | Required to view and modify session policy configuration (lifetimes, timeouts, concurrent limits). |
Related Guides
- Security Settings — IP rules, brute-force protection, and suspicious login detection
- Authentication Settings — Configure authentication methods and MFA requirements
- Adaptive MFA — Risk-score-based MFA enforcement that interacts with session creation
- Session API Reference — Programmatic session management via the REST API
- Token Lifecycle — How access tokens, refresh tokens, and sessions relate to each other