Skip to Content
Admin ConsoleSession Management

Session Management

The Session Management page provides full visibility into all active user sessions across your tenant. Administrators can monitor who is logged in, from which devices and locations, revoke individual or bulk sessions, and configure session lifetime policies that control how long users stay authenticated.

Auris tracks sessions across all authentication methods, including password-based login, magic links, social login, SSO, and M2M tokens. Each session records the device, IP address, authentication method, and MFA status.

Access session management via Console -> Settings -> Sessions.

You can also view sessions for a specific user at Console -> Users -> [user] -> Sessions tab.


Session Statistics

The Sessions page displays four summary cards at the top of the page:

StatisticDescription
Active SessionsTotal number of sessions that are currently valid (not expired or revoked)
Unique UsersNumber of distinct users with at least one active session
Created (24h)Sessions created in the last 24 hours
Revoked (24h)Sessions manually revoked by an administrator in the last 24 hours

These statistics update automatically when the page loads. Use them to get a quick overview of authentication activity and spot anomalies such as unusual spikes in session creation.


Session List

Below the statistics, a table lists all sessions with the following columns:

ColumnDescription
UserEmail address and display name of the authenticated user
DeviceBrowser and operating system parsed from the user agent string
IP AddressThe IP address from which the session was created
Auth MethodHow the user authenticated: password, magic_link, social, sso, m2m
CreatedWhen the session was created (absolute timestamp with relative time tooltip)
Last ActivityWhen the session was last used to make an authenticated request
StatusActive, Expired, or Revoked

The table supports sorting by any column. Click a column header to toggle ascending and descending order.


Filtering Sessions

Use the filter controls above the session table to narrow down the list:

FilterOptionsDescription
SearchFree textFilter by user email or name
Auth Methodpassword, magic_link, social, sso, m2mShow only sessions created with a specific authentication method
Statusactive, expired, revokedShow only sessions in a specific state

Filters can be combined. For example, search for a user’s email and filter by active status to see only their current sessions.

Expired sessions are retained in the list for 30 days for auditing purposes. After 30 days, they are automatically purged from the database.


Session Detail

Click any session row to expand it and view the full session details:

FieldDescription
Session IDUnique identifier for the session
User AgentThe full user agent string from the browser or client
IP AddressSource IP with GeoIP location (city, country) if available
Auth MethodThe authentication method used to create the session
MFA StatusWhether multi-factor authentication was completed during this session
ACR ClaimAuthentication Context Class Reference value in the session’s tokens
AMR ClaimAuthentication Methods Reference array (for example, ["pwd", "otp"])
Created AtExact timestamp when the session was created
Last ActivityExact timestamp of the most recent authenticated request
Expires AtWhen the session will automatically expire based on session policy

The ACR and AMR claims are useful for verifying that sessions meet the required authentication assurance level, especially when step-up authentication or adaptive MFA is configured.


Revoking Sessions

Revoke a single session

In the session table, find the session you want to revoke and click the Revoke button on that row. A confirmation dialog appears. Click Confirm to revoke the session immediately.

Revoke all sessions for a user

Navigate to Console -> Users -> [user] -> Sessions tab. Click the Revoke All Sessions button at the top of the sessions list. All active sessions for that user are revoked immediately.

Understand the effect of revocation

When a session is revoked:

  • The refresh token is invalidated immediately. The user cannot obtain new access tokens.
  • The access token remains valid until it naturally expires (default: 15 minutes). This is standard behavior for JWT-based authentication, since access tokens are verified locally without a server round-trip.
  • The user is effectively logged out once their current access token expires and the refresh attempt fails.

If you need to terminate access immediately (for example, during a security incident), revoke the session and also consider reducing the access token expiry in your session policies. For truly instant revocation, applications must implement token introspection or use short-lived access tokens (for example, 1 minute).


Session Policies

Session policies control the lifetime and behavior of user sessions. Configure these at Console -> Settings -> Sessions -> Policies tab.

SettingDescriptionDefault
Session Max LifetimeThe absolute maximum duration a session can exist, regardless of activity24 hours
Idle TimeoutThe session expires after this period of inactivity (no authenticated requests)1 hour
Access Token ExpiryHow long an access token is valid before the client must refresh it15 minutes
Refresh Token ExpiryHow long a refresh token is valid. After this, the user must re-authenticate7 days
Max Concurrent SessionsMaximum number of active sessions per user. Set to 0 for unlimited5
Require MFA for Admin RolesWhether users with admin roles must complete MFA to create a sessionYes

Adjust policy values

Modify the settings in the policy form. Each field shows the current value and the system default for reference.

Save policies

Click Save. New policy values apply to all sessions created after the save. Existing sessions continue to use the policy values that were active when they were created.

Changing session policies does not retroactively affect existing sessions. If you reduce the max lifetime from 24 hours to 8 hours, sessions already created with a 24-hour lifetime continue to be valid for their original duration.


Concurrent Session Enforcement

When the Max Concurrent Sessions limit is reached and a user creates a new session, Auris automatically revokes the oldest active session for that user to make room for the new one.

How it works:

  1. User has 5 active sessions (the configured maximum)
  2. User logs in from a new device, creating session #6
  3. Auris identifies the oldest session (by creation time) and revokes it
  4. The new session is created successfully
  5. The user on the oldest device is logged out on their next token refresh

This ensures users are never prevented from logging in, while keeping the total number of active sessions bounded.

Setting the limit to 0 (unlimited) disables concurrent session enforcement entirely. Use this only if your application has no security requirement for session limits.


Session Lifecycle

A session moves through the following states:

  • Created -> Active: The session is created upon successful authentication. It becomes active immediately.
  • Active -> Expired: The session expires when either the max lifetime is reached or the idle timeout elapses without any authenticated requests.
  • Active -> Revoked: An administrator manually revokes the session, or it is automatically revoked due to concurrent session enforcement.

Once a session is in Expired or Revoked state, it cannot be reactivated. The user must authenticate again to create a new session.


API Reference

Session management is available via the REST API for programmatic access and automation.

GET/api/sessions
GET/api/sessions/:id
DELETE/api/sessions/:id
POST/api/sessions/revoke-all
GET/api/sessions/stats
GET/api/sessions/policies
PATCH/api/sessions/policies

Permissions

PermissionDescription
manage:sessionsRequired to view the session list, view session details, and revoke sessions. Also required for the session statistics dashboard.
manage:security_settingsRequired to view and modify session policy configuration (lifetimes, timeouts, concurrent limits).