Session Management
The Session Management feature allows you to prevent concurrent login and manage user sessions.
Prevent concurrent login
There is a setting in the identity section to prevent concurrent login. It has three options:
Disabled
No restriction on concurrent login. This is the default.
LogoutFromSameTypeDevices
Only one session of the same type can exist.
Same type
means we can restrict single login with a browser, but we may still can login with a mobile application without affecting the browser session. So, for each device type, we may allow a single login.LogoutFromAllDevices
All other sessions will be logged out when a new session is created.
Manage user sessions
You can view and manage user sessions on the Users
page of the Identity module.
Once you revoke a session, the user will be logged out.
IdentitySessionCleanupBackgroundWorker
The IdentitySessionCleanupBackgroundWorker
is a background worker that will remove the sessions that have not been active in the past.
IdentitySessionCleanupOptions
IsCleanupEnabled
: Default value istrue
.CleanupPeriod
: Default value is 1 hour.InactiveTimeSpan
: Default value is30
days.
How it works
This feature depends on the Dynamic Claims feature of the ABP framework. Here is how it works:
- The
IdentitySessionClaimsPrincipalContributor
will generate a random GUID as asessionid
to add theClaimsPrincipal
, This usually happens when logging in to get the user's claims. - The
OnSignedIn
event ofIdentity
andProcessSignIn
event ofOpenIddict
will get thissessionid
and store it in the database (IdentitySession
table). - The
Dynamic Claims
system'sIdentitySessionDynamicClaimsPrincipalContributor
will ensure thesessionid
exists or signs out. - The
IdentitySessionChecker
will check thesessionid
that exists and update theLastAccessed
andIpAddress
to the cache. - The
IdentitySessionManager
is used to get one or a list of sessions and update theLastAccessed
andIpAddress
from the cache to the database. - The module will remove the session when logging out.
- The
IdentitySessionCleanupBackgroundWorker
will remove the inactive sessions. - Once a new session has been created, we will remove the other sessions based on the
PreventConcurrentLogin
setting. - The
IdentitySessionManager
is used to manage/maintain the sessions. Please use this class instead of directly using the repository.