Overview#
Argus session management secures the full authentication lifecycle, from initial login through active use, token refresh, and logout, while continuously monitoring for the behavioural patterns that signal account compromise.
Session hijacking does not always announce itself. A stolen refresh token used from an unfamiliar country, a session suddenly exporting far more data than usual, or a login location that jumps between continents within the hour are signals that a simple timeout policy cannot catch on its own. JWT-based authentication with automatic token refresh keeps active sessions uninterrupted, and every refresh rotates the refresh token so reuse of a stolen token is detected immediately. Host-scoped cookies across every sign-in flow prevent credential leakage to sibling applications, and signing out revokes the presented credential instantly for browser, mobile, and API clients alike. MFA and FIDO2 authentication are supported at login and for step-up challenges triggered during the session.
Key Features#
-
Configurable Session Policies: Administrators can configure idle timeouts, absolute session duration limits, and token refresh behaviours to match organisational security requirements.
-
Automatic Token Refresh: JWT tokens are refreshed silently before expiry, avoiding authentication interruptions during active sessions. Refresh token rotation ensures each token can only be used once, making stolen token reuse immediately detectable.
-
Session Continuity Under Real-World Conditions: Session credentials are issued with roughly four times the headroom the renewal loop needs, and silent renewal tolerates slow authentication responses, eliminating mid-work sign-outs for analysts on long shifts or intermittent networks. Classification-based idle caps for higher-sensitivity workspaces are preserved and continue to slide forward with activity, and replay exposure remains bounded by immediate revocation lists and a per-request session liveness check.
-
Host-Scoped Session Cookies: Every login, SSO, refresh, and MFA flow, including the mid-login MFA challenge and citizen portal sign-in, issues cookies scoped strictly to the authentication host, so session credentials are never sent to sibling applications on the same domain. Legacy domain-wide cookies left by earlier releases are purged automatically at the next sign-in or renewal.
-
Immediate Sign-Out Revocation for All Clients: Signing out revokes the presented bearer credential instantly and platform-wide, whether or not a browser session or refresh cookie exists, so mobile apps and API integrations can genuinely terminate credentials on demand. Credential-less logout attempts are rejected.
-
Graceful Access Denial: An authenticated user denied access to an individual record or query sees a clear no-access message rather than being bounced back to the login page, so a single permission gap never interrupts the rest of their session. This behaviour applies across all platform applications through the shared application shell.
-
Cross-Site Request Protections: Every state-changing request that rides a session enforces verified request origins and anti-forgery tokens, failing closed when either check cannot be satisfied. Further origin-trust safeguards are described under Request Integrity below.
-
Multi-Device Session Management: Users can view and manage active sessions across all their devices, with the ability to remotely terminate individual sessions or log out from all devices simultaneously.
-
Concurrent Session Controls: Configurable limits on concurrent sessions prevent unauthorised account sharing and reduce the risk of undetected credential compromise.
-
Device Trust Scoring: Each device builds a trust score based on login history, geographic consistency, device integrity signals, and security patch levels. Trust scores inform access control decisions and step-up authentication requirements.
-
Behavioural Threat Detection: Continuous analysis of session behaviour identifies indicators of credential compromise, session hijacking, account takeover attempts, and automated attacks.
-
Impossible Travel Detection: Geographic analysis of login locations identifies physically impossible travel patterns, triggering step-up authentication or session termination based on configured policies.
-
Automated Threat Response: Configurable response actions automatically execute when threats are detected, including session termination, mandatory re-authentication, account lockout, and administrator notification.
How It Works#
Session Lifecycle#
-
Authentication: The user provides credentials and completes any required MFA or FIDO2 challenges. Device fingerprinting and geolocation validation assess the risk level of the login attempt.
-
Session Creation: Upon successful authentication, the system issues short-lived access tokens and longer-lived refresh tokens stored in cookies scoped to the authentication host. Session metadata records the device, location, and authentication method.
-
Active Session: During the session, continuous monitoring validates device integrity, tracks location consistency, and analyses behavioural patterns. Activity-based session extension keeps sessions alive during active use.
-
Token Refresh: Access tokens are automatically refreshed before expiry. Each refresh validates device consistency, IP continuity, and threat intelligence status, refresh tokens are rotated with each use, and classification-based idle caps slide forward with each renewal.
-
Session Termination: Sessions end through explicit logout, idle timeout, administrative action, or threat detection. All associated tokens are immediately revoked and the event is logged, for browser, mobile, and API clients alike.
Multi-Device Management#
Users have full visibility into their active sessions:
- View all active sessions with device type, location, and last activity
- Name and categorise devices for easy identification
- Terminate individual sessions or log out from all devices
- See when new devices access their account
- Review session history and security events
Threat Detection#
The session management system continuously monitors for:
- Credential Compromise: Checks against known breached credential databases, detects password spraying and credential stuffing patterns
- Session Hijacking: Token replay detection, duplicate session identification, session fixation prevention
- Account Takeover: Impossible travel, behavioural anomalies, sudden privilege escalation, unusual data access patterns
- Automated Attacks: Bot detection, distributed attack identification, progressive throttling
When threats are detected, configurable response chains execute automatically, including session termination, step-up authentication requirements, account lockout, and security team notification.
Request Integrity#
Sessions are protected against being ridden by hostile pages or spoofed origins:
- Every state-changing request enforces origin validation and anti-forgery tokens, failing closed when either check cannot be satisfied
- Sign-in redirects are validated against a strict allowlist of trusted hosts and refuse spoofed or wildcard destinations
- Shared collaboration links are minted only after full session validation and are scoped to the server-verified organisation, never a client-supplied one
- Externally influenced links are scheme-allowlisted before being rendered or embedded, blocking script-scheme injection
- Client-supplied tenant, user, and permission headers are stripped at the gateway boundary, so only server-derived identity propagates
Each of these protections is locked by an automated regression guard so it cannot silently weaken over time.
Open Standards#
- RFC 7519 (JSON Web Tokens): Access tokens and refresh tokens are issued as JWTs carrying the standard registered claims, including issuer, subject, audience, expiry, issue time, a unique token identifier, and authentication method and time; refresh token rotation invalidates each token after a single use to detect replay.
- RFC 6749 (OAuth 2.0): The authorisation framework governs token issuance, refresh flows, redirect URI validation, and the client credential patterns used throughout the session lifecycle.
- W3C Web Authentication (WebAuthn) Level 3 / FIDO2: Passkey credentials are registered and verified against a WebAuthn server; FIDO2 authenticators are supported at initial login and for step-up challenges during an active session.
- OpenID Connect Core 1.0: Federated SSO login and identity-provider integration use OIDC; authentication method and authentication time claims are evaluated when enforcing step-up authentication requirements.
- RFC 7517 (JSON Web Key Sets): Token verification consumes a JWKS endpoint to resolve the RS256 signing key by key identifier, with a refresh-on-miss strategy to handle key rotation without service disruption.
- RFC 9421 (HTTP Message Signatures): Service-to-service requests between internal platform services are signed and verified using HTTP Message Signatures to prevent request forgery at the transport layer.
- OWASP Application Security Verification Standard (ASVS) 5.0: Session controls including concurrent session limits, idle and absolute timeouts, protective cookie attributes such as HttpOnly and SameSite, and user-enumeration mitigations are implemented in accordance with ASVS V3 and V6 requirements.
Compliance#
Session management supports compliance with:
- SOC 2: Authentication controls, session management, and monitoring
- ISO 27001: Access control and secure authentication requirements
- PCI-DSS: Session timeout and authentication requirements
- HIPAA: Automatic logoff and session management for ePHI systems
- GDPR: Authentication security and data access controls
- FedRAMP: Session management and authentication requirements
Last Reviewed: 2026-07-16 Last Updated: 2026-07-16