A session is a period of time wherein a user interacts with an app. Usually triggered by the opening of an app, a session records the length and frequency of app use to show developers, marketers, and product managers how much time users spend within an app.
Session data can be very useful and informative. For instance, it can be used to determine the average length of time users spend on an app, as well as the time of day users are most likely to engage with a particular app, thus providing users important information on which they can act upon later.
As explained above, every time you visit an app, a session starts. The same goes for sessions in your own app. Without proper protection, sessions can become unsafe, like if a user leaves a session open for too long without being active.
Frontegg provides multiple session management features out-of-the-box, and can give you and your customers more control regarding the way users interact with your applications.
Frontegg's session management tools let you and your customers view and configure various session factors such as their duration or how many active sessions a user can have. You can even revoke all sessions of a specific user.
Enable those features in the Profile, Users, and Security sections of the Builder so that users with the permission have the ability to configure and manage user sessions from the Admin Portal.
Using Sessions in Frontegg SDKs
In order to gain session management features on our frontend SDKs, make sure to use the correct versions:
- @frontegg/react >= v4.0.27
- @frontegg/angular >= v4.19.0
- @frontegg/vue >= v1.0.19
- @frontegg/next >= v5.8.0
Frontegg offers three session management features for which you can set defaults.
The idle session timeout settings defines how long a session can be open while there is no activity detected. Once the session reaches this time, it will be ended.
Whether or not a session is active or not, the user will be logged out when it reaches this time limit.
This setting determines how many sessions a user can have open at the same time. If a user has reached their maximum and tries to open a new session, the oldest session will terminate and the new one will be opened.
Each of these settings can be changed, however tenants can decide for themselves what the values should be.
In this section you will learn how to enable various session management features provided by Frontegg right in the admin portal so that customer accounts can manage all aspects of user sessions.
First, we need to give certain users the ability to manage user sessions by assigning the permission of revoke all user sessions to any role that should have that authority.
- Go to Environments ➜ [NAME OF ENVIRONMENT] ➜ Authorization ➜ Permissions.
- Check the box for each role that should have this permission.
- Click "Save changes" to assign that permission to users who have the roles you chose.
As said, users who have the role you chose will have the following features enabled for them in the Admin Portal once they are enabled in the builder (we will enable them in the next sections):
- Configure session management settings
- End other user's sessions
Useful link - Development
Follow the link to enter the Permission Management of your Development environment
Useful link - Production
Follow the link to enter the Permission Management of your Production environment
In the admin portal, you can show your customer's users a list of their own sessions. It shows them details on each sessions like session start time, IP Address, location and device. If your users see that one of their sessions are compromised or they left a device somewhere, they can log out individual (or all) sessions from here.
To turn it on, go to Builder ➜ Experience ➜ Admin Portal ➜ Personal and toggle privacy settings on.
In the Admin Portal, all users should now see their live sessions.
Users can log out of individual sessions or all of them at once.
Given the right permissions, admins have control over other user's sessions. For example, if a user in a tenant loses access to their devices, an admin can log that user out of all their sessions.
This feature is included in the Users tab of the admin portal.
Go to Builder ➜ Experience ➜ Admin Portal ➜ Workspace and toggle Users on.
In the Admin Portal, users with permission should now see a list of users.
Each row in the table has an action menu on the right corner. By clicking on a row's menu you can log out that specific user from all his or her sessions in your app.
Enable customer accounts to configure session management settings in Engagement.
Go to Builder ➜ Experience ➜ Admin Portal ➜ Workspace and toggle security on.
In the Admin Portal, users with permission should now see configuration options for session management under "Session Management" tab.
This section provides various settings that give customer accounts greater control over the way users can interact with the application.
Some of the settings have a default behaviour:
Idle Session Timeout - If not enabled, the default session duration is 24 hours
Force Re-login - Users stay "Logged in" indefinitely
Maximum Concurrent Sessions - A user can login into your application as many times as they want
Updated 18 days ago