Sessions
The Sessions page shows all currently active user sessions and lets administrators terminate individual sessions immediately — useful for incident response, employee offboarding, or investigating suspicious access patterns.
Fields & Columns
| Name | Description |
|---|---|
| User | Username of the authenticated user |
| IP Address | Client IP address recorded at session creation |
| User Agent | Browser or client identifier from the User-Agent header |
| Created | When this session was first created (login time) |
| Last Active | Most recent request using this session |
| Expires | Absolute expiry time — session cannot outlive this regardless of activity |
How To
Terminate a single session
- Find the session in the table by user or IP
- Click Terminate in the Actions column
- Confirm the dialog — the session is invalidated immediately
- The user will receive a 401 on their next request and be redirected to login
Terminate all sessions for a user via the GUI
- Navigate to Admin > Identity > Users.
- Find the target user in the table.
- Use the "Logout All Devices" action from the row actions menu.
- This invalidates every active session for that user simultaneously.
Terminate all sessions for a user via the API
- Send DELETE /api/admin/sessions?userId=X with the target user ID.
- All active sessions for that user are invalidated immediately.
- The user will receive a 401 on their next request from any device.
Gotchas
- Session termination is immediate — there is no undo. The user loses any unsaved work.
- The session table only shows non-expired sessions. Idle-timed-out sessions are not shown even if they still exist in the database.
- Sessions from the owner account can be terminated, but the owner can always create a new session by logging in again.
- IP spread alarms (4+ distinct IPs for one user) are a signal worth investigating here.
- Session absolute expiry is 24 hours. Idle timeout is 60 minutes — a session left unattended expires after 1 hour regardless of the 24-hour absolute limit.
- Maximum 10 concurrent sessions per user. Additional logins beyond this limit will fail until existing sessions expire or are terminated.
- Passwords must be at least 12 characters (NIST SP 800-63B aligned). Account lockout triggers after 10 consecutive failed login attempts, lasting 15 minutes.
API Calls (3)
| Method | Path | Description |
|---|---|---|
| GET | /api/admin/sessions | List all active sessions (paginated, limit/offset query params) |
| DELETE | /api/admin/sessions/:id | Terminate a specific session by ID |
| DELETE | /api/admin/sessions | Terminate all active sessions for a user (pass userId as a query parameter) |
Related Pages
- Users — User management — see who is logged in and manage their access
- Auth Audit — Login and logout events provide context for session history
- Alarms — Session IP spread alarms appear here when a user has too many distinct IPs