Session Management

LoginRadius offers a comprehensive set of tools for effectively managing customer login sessions. These features enable businesses to enhance user experiences by providing secure and seamless platform access. This includes capabilities for creating sessions, tracking user logins, managing session expiration, and refreshing sessions.

• Enhanced Security: Protect user accounts and sensitive data by setting session expiration policies, reducing the risk of unauthorized access and session hijacking.
• Improved User Experience: Features like sliding sessions and "Remember Me" will improve customer convenience by allowing them to remain logged in longer.
• Access Control & Compliance: The “Restrict Login Sharing” feature ensures compliance with organizational security policies by preventing unauthorized session sharing and enforcing access control at the user and application levels.
• Automated Security Measures: Enhance fraud prevention and account security with “Force Logout,” which automatically terminates active sessions when a user resets or changes their password, preventing unauthorized access from previous sessions.

A session refers to the duration a user interacts with an application after authenticating. It allows the application to recognize the user and maintain their state across multiple requests. Sessions are managed using tokens, such as the LoginRadius Access Token, and storage mechanisms to ensure secure and seamless user experiences.

The LoginRadius Access Token is a secure token issued after a user successfully logs in or authenticates. It is key to granting the user access to specific resources and performing authorized actions within the application.

• Authorization:
  • Enables secure access to protected resources.
  • Eliminates the need for the application to handle user credentials directly.
• Short-Lived Tokens:
  • Typically valid for a specific duration to minimize security risks
• Seamless Session Continuity
  • Automatically renewing access tokens offers a smooth, uninterrupted experience, reducing users' need to log in frequently.

An active Single Sign-On (SSO) session enables seamless authentication using a valid LoginRadius Access Token. This token allows secure access to resources and user sessions. After a successful login, a session cookie is set on the Hosted Page Domain.

[tenant].hub.loginradius.com.

If an SSO session is not found, the user is redirected to the logout process or presented with the login interface to re-authenticate.

For a detailed explanation of handling SSO sessions, refer to the SSO Overview.

Follow the steps below to set up various session management options in the admin console.

1. Log in to the LoginRadius Console.
2. Navigate to Security > Session Management.

Access Token Lifetime

Access tokens are short-lived unique identifiers given to each user after successful authentication. They allow secure access to user profiles and enable operations on them.

• Navigate to Security > Session Management > Access Token.
• You can adjust the access token lifetime duration (1 to 129,600 minutes) based on your requirement.

Important Notes on Access Token

1. Token Expiry: The lifetime of an access token can be set from 1 to 129,600 minutes (90 days). For a longer expiry, contact LoginRadius support.
2. Default Lifetime: By default, the access token expires after 15 minutes
3. Refresh Token Adjustment: When the access token lifetime is updated, the refresh token lifetime automatically adjusts to 1.5 times the access token lifetime.
4. Post-Expiry: Once expired, the access token can no longer perform any actions.

Refresh Token Lifetime

Refresh tokens help generate new access tokens without requiring users to log in again, ensuring session continuity.

• Navigate to Security > Session Management > Refresh Token
• You can extend it to 365 days (525600 minutes); contact LoginRadius support to set a longer token expiry. Important Notes on Refresh Token
• Lifetime: The default lifetime of a refresh token is 15 minutes.
• Revocation: A refresh token can become invalid in the following situations:
• After being used to generate a new access token.
• If manually revoked via the Revoke Refresh Token API.
• One-Time Use: A refresh token can only be used once to generate a new access token. After it’s used, it becomes invalid.
• Long-Lived Tokens: Refresh tokens are long-lived and should be stored securely (e.g., in an encrypted form) to reduce the risk of exposure.

Force Logout

Force logout ensures that all active user sessions are instantly terminated when a user changes or resets their password. It adds an extra layer of security by preventing unauthorized access from previously active sessions.

• Navigate to Security > Session Management > Force Logout
• Enable the Force Logout feature

Remember Me

The "Remember Me" feature lets users stay logged in after restarting their browser.

1. Go to Security > Session Management > Remember Me.
2. Check the Remember Me checkbox to enable the feature.
3. Set the token expiry time, ensuring it is shorter than the Access Token expiration time.

Restrict Login Sharing

This feature prevents unauthorized session sharing by limiting simultaneous logins at the user and application levels.

1. Go to Security > Session Management > Restrict Login Sharing.
2. Enable the Restrict Login Sharing checkbox.
3. Configure the maximum number of allowed sessions per user. Important Notes on Login Sharing

• If the global session limit is three and the user-specific limit is 5, the user can have up to 5 active sessions.
• If only the global session limit is set to 3, the user can have up to 3 active sessions.
• If both limits are configured, the stricter limit takes precedence.
• If the session limit is exceeded, the user will be notified and must end an active session before logging in again.

LoginRadius automated workflows enhance session management, prioritize security, and improve user convenience. These workflows provide robust tools for managing sessions dynamically, protecting against unauthorized access, and ensuring seamless user experiences.

• Sliding Sessions: If a refresh token is used before expiration, its validity may extend based on specific configurations.
• Force Logout: Automatically terminates all active sessions when users reset or change their password, enhancing security.
• Brute Force Lockout: Prevents repeated failed login attempts to trigger the brute force attacks.[Ref Link]
• Remember Me: Provides secure and extended user sessions, enhancing convenience by reducing the need for frequent logins while maintaining high security.

This section offers a detailed walkthrough and recommendations for integrating session management into your back-end or front-end via Rest APIs or SDKs.

Session Creation

The following details help generate the session token by using the Login APIs or directly generating the session token as an administrator.

Integration via API

Use Login by Email API to create the session token during login using the email/password.

Use Account Impersonation API to generate the access/refresh directly without login **(backend only).

Integration via SDK

• You can use any SDKs provided by LoginRadius based on your requirements for SDK implementation. LoginRadius GitHub Repositories

• Utilize the Prebuilt V2 JS login Interface to allow the users to create sesion using email/username/phone and password.

Session Introspection

Analyze an active session token to retrieve details about the user's profile and the token itself. It helps ensure secure and efficient session management.

• Validates Tokens: Checks if the token is active, expired, or revoked.
• Retrieves Profile Details: Provides user-specific attributes like roles, permissions, or preferences.
• Token Insights: Shares metadata such as token creation time, expiration, and scope.

Integration via API

• To validate the access token, utilize the Validate Access token API To fetch the User Profile using the access token, utilize the

• Read all Profiles by Token API. Get the details about access token using

• Access Token Info API

Integration via SDK

You can use any SDKs provided by LoginRadius based on your requirements for SDK implementation. LoginRadius GitHub Repositories

To validate the access token on the client side, utilize the JS SDK.

Session Extension

Session extension allows users to continue their sessions without frequent interruptions by prolonging session validity based on activity.

Integration via API

RefreshAccessToken API: This is used to Refresh the access token by the refresh token.

Integration via SDK

You can use any SDKs provided by LoginRadius based on your requirements for SDK implementation. LoginRadius GitHub Repositories

Session Revocation

The following details help implement session revocation when users sign out from the application or when administrators manually or automatically want to revoke sessions.

Integration via API

• AccessTokenInvalidate API: This is for revoking the Access Token.

• RevokeRefreshToken API: This is for revoking the Refresh Token (server-side)

Integration via SDK

• You can use any SDKs provided by LoginRadius based on your requirements for SDK implementation. LoginRadius GitHub Repositories

• To revoke the access token using the client-side library, utilize the JS SDK.

Session Auditing

Monitor and retrieve details about active user sessions. It helps you control how users access their accounts across multiple devices like Restrict Concurrent Logins

Integration via API

Retrieving the Active Sessions After logging in successfully, the user receives their profile from LoginRadius.

• Invoke Active Session By Account ID API to fetch the user's active sessions on different devices.

• Implement a checkpoint to allow login when only one session is present. However, if the API returns multiple sessions, you can prevent the user from logging in.

• It is important to note that the Active Session By Account ID API will provide access tokens for all active sessions. For added security, you can log the user from a specific session by invalidating the corresponding access token; refer to the Session Revocation for more details

Integration via SDK

You can use any SDKs provided by LoginRadius based on your requirements for SDK implementation. LoginRadius GitHub Repositories

Note: Some APIs require an API secret as a parameter. Due to security considerations, using the API Secret on the client side is not recommended. We suggest using a wrapper to make the API call from the client side. This method will ensure adherence to security practices and prevent potential compromises of your API secret.

• Secure Refresh Tokens: Always store Refresh Tokens in a safe location to minimize the risk of a token leakage.
• Set Appropriate Expiry Times: Configure Access and Refresh Token lifetimes based on the application's security needs.

• Password Policy
• Customer Security
• Roles and Permissions Management