Knogin
[Developers]

Auth: Session Concurrency & Lifecycle Control

When a field operator logs in from a new device while an existing session is still active, the platform must decide immediately whether to permit the second session, challenge the user, or terminate the oldest session. S

Back to All Modules
Category: ModulesLast Updated: May 26, 2026
modulesreal-timecompliance

Overview#

When a field operator logs in from a new device while an existing session is still active, the platform must decide immediately whether to permit the second session, challenge the user, or terminate the oldest session. Session Concurrency and Lifecycle Control enforces that decision in real time, applying configurable per-user and per-role policies so that shared credentials, stolen tokens, and abandoned sessions cannot quietly persist as attack surfaces. Every session carries a device fingerprint and an origin record, enabling administrators to audit exactly which devices were active during any incident window.

Beyond concurrent-login enforcement, the capability governs the full lifetime of a session: idle timeouts that expire inactive sessions after a configurable period of inactivity, absolute timeouts that terminate long-lived sessions regardless of activity, and global revocation that allows an administrator or an automated fraud signal to invalidate every session belonging to a user or an entire organisation simultaneously. Session state is held in Redis so that revocation propagates across all serving nodes within milliseconds, with PostgreSQL providing the authoritative audit record of every session event.

Key Features#

  • Concurrent session limits: Administrators configure the maximum number of simultaneous active sessions permitted per user or per role, with policy options to reject the new login, evict the oldest session, or challenge the user with a step-up verification.
  • Real-time session invalidation: Revocation commands propagate to the Redis session store within milliseconds, ensuring that a compromised or shared token cannot be reused after an administrator or automated rule triggers revocation.
  • Idle and absolute timeouts: Sessions that remain inactive beyond a configurable idle period are expired automatically; a separate absolute timeout ensures no session can remain valid indefinitely regardless of activity, supporting compliance with access-window requirements.
  • Device-specific session tracking: Each session is bound to a device fingerprint derived from browser and network characteristics, allowing administrators to identify and terminate sessions originating from unrecognised or anomalous devices without affecting other active sessions.
  • Global revocation: A single administrative action can terminate all sessions for a user, a group, or an entire organisation, supporting rapid response to credential compromise or insider-threat incidents.
  • Anomaly-triggered termination: Integration with fraud detection signals allows sessions exhibiting behavioural anomalies such as impossible-travel logins or sudden privilege escalation patterns to be suspended automatically pending re-authentication.
  • Full session audit trail: Every session lifecycle event, creation, renewal, idle expiry, absolute expiry, and revocation, is written to a tamper-evident audit log with user identity, device fingerprint, timestamp, and the reason for termination.
  • Organisation-scoped policies: Concurrency and timeout rules are configured independently per organisation and per role, allowing a single deployment to enforce stricter controls for high-privilege operators without affecting standard user workflows.

Use Cases#

  • Preventing credential sharing: Enforcing a per-user session limit makes it immediately apparent when a single account is being used from multiple locations simultaneously, deterring password sharing and flagging potential compromise.
  • Enforcing strict operational access windows: Absolute session timeouts ensure that personnel access is automatically revoked at the end of a shift or exercise period without requiring manual administrator intervention.
  • Rapid response to account compromise: When a credential-theft incident is detected, global revocation terminates all active sessions for the affected user instantly, limiting the window of unauthorised access to seconds rather than hours.
  • Regulatory audit readiness: The complete session audit trail provides the evidence base required for access-review audits, demonstrating that dormant and shared sessions were controlled in accordance with policy.
  • Zero-trust device posture enforcement: Binding sessions to device fingerprints means that a valid token extracted from one device cannot be replayed from a different device, supporting zero-trust access principles without requiring client-side agent software.

Integration#

Session Concurrency and Lifecycle Control integrates with the platform's Redis-backed session cache for sub-millisecond revocation propagation across all serving nodes, with PostgreSQL for the authoritative audit record, and with the platform's fraud and anomaly detection pipeline so that behavioural risk signals can trigger automatic session termination. The capability sits behind the platform's Zero Trust Network Access gateway, meaning every session validation occurs after network-level policy checks have passed, and it publishes revocation events to the platform's real-time event bus so that connected services such as active WebSocket channels and API gateway authorisation caches are invalidated consistently.

Open Standards#

  • RFC 6749 and RFC 6750 (OAuth 2.0): Session tokens are issued and validated in accordance with the OAuth 2.0 authorisation framework, with bearer-token handling following RFC 6750 security guidance.
  • OpenID Connect Core 1.0: Session management, including front-channel and back-channel logout flows, aligns with the OpenID Connect session management specification so that federated identity providers can participate in revocation.
  • RFC 7519 (JSON Web Token): Signed session tokens use the JWT format, enabling stateless validation at edge nodes while the Redis store provides the authoritative revocation check.
  • NIST SP 800-63B (Digital Identity Guidelines): Idle and absolute timeout thresholds, re-authentication triggers, and session binding requirements are designed to meet NIST authenticator assurance levels AAL2 and AAL3.
  • ISO/IEC 27001 (Information Security Management): Session lifecycle controls directly satisfy ISO/IEC 27001 Annex A controls relating to access control, session management, and audit logging.
  • eIDAS Regulation (EU 910/2014): Session assurance levels and audit evidence align with eIDAS requirements for electronic identification and trust services used in European public-sector deployments.
  • ETSI TS 119 400 (Trust Service Provisioning): Audit log integrity and non-repudiation of session events are consistent with ETSI trust service standards applicable to regulated environments.
  • OASIS Security Assertion Markup Language (SAML) 2.0: Back-channel and front-channel session termination support SAML single-logout profiles, enabling coordinated session revocation across enterprise single sign-on deployments.

Availability#

  • Enterprise Plan: Included
  • Professional Plan: Available with configurable concurrent-session limits; global revocation and anomaly-triggered termination require the Enterprise Plan.

Last Reviewed: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.