Framework
Community Commercial
Menu Menu
Version
Contributors Edit (4/15/2024)
Avatar Avatar

Session Management

The Session Management feature allows you to prevent concurrent login and manage user sessions.

Prevent concurrent login

There is a setting in the identity section to prevent concurrent login. It has three options:

  1. Disabled

    No restriction on concurrent login. This is the default.

  2. LogoutFromSameTypeDevices

    Only one session of the same type can exist. Same type means we can restrict single login with a browser, but we may still can login with a mobile application without affecting the browser session. So, for each device type, we may allow a single login.

  3. LogoutFromAllDevices

    All other sessions will be logged out when a new session is created.

prevent-concurrent-login

Manage user sessions

You can view and manage user sessions on the Users page of the Identity module.

user-sessions sessions-modal.png session-details-modal.png

Once you revoke a session, the user will be logged out.

IdentitySessionCleanupBackgroundWorker

The IdentitySessionCleanupBackgroundWorker is a background worker that will remove the sessions that have not been active in the past.

IdentitySessionCleanupOptions

  • IsCleanupEnabled: Default value is true.
  • CleanupPeriod: Default value is 1 hour.
  • InactiveTimeSpan: Default value is 30 days.

How it works

This feature depends on the Dynamic Claims feature of the ABP framework. Here is how it works:

  • The IdentitySessionClaimsPrincipalContributor will generate a random GUID as a sessionid to add the ClaimsPrincipal, This usually happens when logging in to get the user's claims.
  • The OnSignedIn event of Identity and ProcessSignIn event of OpenIddict will get this sessionid and store it in the database (IdentitySession table).
  • The Dynamic Claims system's IdentitySessionDynamicClaimsPrincipalContributor will ensure the sessionid exists or signs out.
  • The IdentitySessionChecker will check the sessionid that exists and update the LastAccessed and IpAddress to the cache.
  • The IdentitySessionManager is used to get one or a list of sessions and update the LastAccessed and IpAddress from the cache to the database.
  • The module will remove the session when logging out.
  • The IdentitySessionCleanupBackgroundWorker will remove the inactive sessions.
  • Once a new session has been created, we will remove the other sessions based on the PreventConcurrentLogin setting.
  • The IdentitySessionManager is used to manage/maintain the sessions. Please use this class instead of directly using the repository.
Was this page helpful?
Please make a selection.
Thank you for your valuable feedback!

Please note that although we cannot respond to feedback, our team will use your comments to improve the experience.

In this document
.NET & AI
June 27, 2024 17:00 (UTC)
Previous Events Watch the Event
ABP Docs
See Previous Events
Mastering ABP Framework Book
Mastering ABP Framework

This book will help you gain a complete understanding of the framework and modern web application development techniques.

See Book Details