Manage Sessions

View and revoke user sessions in Authority.

Overview

Sessions represent active user logins. Each session tracks:

Device information
IP address
Login time
Last activity

User Self-Service

View Active Sessions

Users can see their sessions in the profile:

Click profile name
Select Security Settings
View Active Sessions

Revoke Session

Find the session in the list
Click Revoke
Confirm revocation

The session is immediately invalidated.

Admin Management

View User Sessions

GET /api/users/{id}/sessions
Authorization: Bearer {admin_token}

Response:

{
  "data": [
    {
      "id": "session-uuid",
      "created_at": "2024-01-15T10:30:00Z",
      "last_activity": "2024-01-15T14:20:00Z",
      "ip_address": "192.168.1.100",
      "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...",
      "device": "Chrome on macOS",
      "location": "San Francisco, CA"
    }
  ]
}

Revoke Specific Session

DELETE /api/sessions/{session_id}
Authorization: Bearer {admin_token}

Revoke All User Sessions

DELETE /api/users/{id}/sessions
Authorization: Bearer {admin_token}

This forces the user to re-authenticate on all devices.

Session Settings

Configuration

Variable

Default

Description

SESSION_DURATION_DAYS

7

Maximum session lifetime

IDLE_TIMEOUT_MINUTES

30

Timeout after inactivity

SINGLE_SESSION

false

Allow only one active session

Single Session Mode

Force users to have only one active session:

SINGLE_SESSION=true

When enabled, logging in from a new device revokes existing sessions.

Idle Timeout

End sessions after inactivity:

IDLE_TIMEOUT_MINUTES=30

Users are logged out after 30 minutes of inactivity.

Session Information

Each session captures:

Field

Description

ip_address

Client IP at login

user_agent

Browser/app information

device

Parsed device type

location

Approximate location (if enabled)

created_at

last_activity

Last request timestamp

Security Alerts

Notify on New Session

Email users about new logins:

NOTIFY_NEW_SESSION=true

Email content:

New login to your Authority account

Device: Chrome on macOS
Location: San Francisco, CA
Time: January 15, 2024 at 10:30 AM

If this wasn't you, secure your account immediately.

Suspicious Session Detection

Alert on unusual patterns:

Login from new location
Multiple simultaneous sessions
Login outside business hours

Bulk Session Management

Revoke All Sessions (System-Wide)

For security incidents:

crystal run src/tasks/revoke_all_sessions.cr

Revoke by Criteria

# Revoke sessions older than 30 days
DELETE /api/sessions?older_than=30d
Authorization: Bearer {admin_token}

# Revoke sessions from specific IP
DELETE /api/sessions?ip=192.168.1.100
Authorization: Bearer {admin_token}

Session in OAuth Flow

Token and Session Relationship

User Session
    └── Access Token 1
    └── Access Token 2
    └── Refresh Token 1

Revoking a session can optionally revoke associated tokens:

REVOKE_TOKENS_ON_SESSION_END=true

SSO Session

For single sign-on, a single session can authorize multiple clients.

Monitoring

Active Session Count

GET /api/metrics/sessions
Authorization: Bearer {admin_token}

{
  "active_sessions": 1250,
  "sessions_today": 342,
  "unique_users": 890
}

Session Audit Events

Event

Description

session.created

New login

session.refreshed

Session activity

session.revoked

Session ended

session.expired

Session timed out

Next Steps

Create Admin - Admin accounts
Password Reset - Reset passwords
Audit Logging - Track sessions

PreviousUser Management NextPassword Reset

Last updated 4 days ago

Was this helpful?

hashtagOverview

hashtagUser Self-Service

hashtagView Active Sessions

hashtagRevoke Session

hashtagAdmin Management

hashtagView User Sessions

hashtagRevoke Specific Session

hashtagRevoke All User Sessions

hashtagSession Settings

hashtagConfiguration

hashtagSingle Session Mode

hashtagIdle Timeout

hashtagSession Information

hashtagSecurity Alerts

hashtagNotify on New Session

hashtagSuspicious Session Detection

hashtagBulk Session Management

hashtagRevoke All Sessions (System-Wide)

hashtagRevoke by Criteria

hashtagSession in OAuth Flow

hashtagToken and Session Relationship

hashtagSSO Session

hashtagMonitoring

hashtagActive Session Count

hashtagSession Audit Events

hashtagNext Steps

Overview

User Self-Service

View Active Sessions

Revoke Session

Admin Management

View User Sessions

Revoke Specific Session

Revoke All User Sessions

Session Settings

Configuration

Single Session Mode

Idle Timeout

Session Information

Security Alerts

Notify on New Session

Suspicious Session Detection

Bulk Session Management

Revoke All Sessions (System-Wide)

Revoke by Criteria

Session in OAuth Flow

Token and Session Relationship

SSO Session

Monitoring

Active Session Count

Session Audit Events

Next Steps