Knogin
[Developers]

Session Management

Session hijacking does not always announce itself. A stolen refresh token used from an IP address two continents away, a legitimate session suddenly exporting ten times its normal data volume, a user whose login location

Back to All Modules
Category: ManagementLast Updated: Feb 5, 2026
managementcompliance

Overview#

Session hijacking does not always announce itself. A stolen refresh token used from an IP address two continents away, a legitimate session suddenly exporting ten times its normal data volume, a user whose login location jumped from London to Jakarta in forty minutes: these are the signals that a rule-based timeout policy will never catch. Argus session management secures the full authentication lifecycle from initial login through active use, token refresh, and logout, while continuously watching for the behavioural patterns that signal account compromise.

JWT-based authentication with automatic token refresh ensures active sessions stay uninterrupted. Every refresh rotates the refresh token, so reuse of a stolen token is detected immediately. Host-only cookies prevent cross-domain token leakage. MFA and FIDO2 authentication are supported at login and for step-up challenges triggered during the session.

Key Features#

  • Configurable Session Policies: Administrators can configure idle timeouts, absolute session duration limits, and token refresh behaviours to match organisational security requirements.

  • Automatic Token Refresh: Seamless JWT token refresh before expiration eliminates authentication interruptions during active sessions. Refresh token rotation ensures each token can only be used once, making stolen token reuse immediately detectable.

  • Multi-Device Session Management: Users can view and manage active sessions across all their devices, with the ability to remotely terminate individual sessions or log out from all devices simultaneously.

  • Concurrent Session Controls: Configurable limits on concurrent sessions prevent unauthorised account sharing and reduce the risk of undetected credential compromise.

  • Device Trust Scoring: Each device builds a trust score based on login history, geographic consistency, device integrity signals, and security patch levels. Trust scores inform access control decisions and step-up authentication requirements.

  • Behavioural Threat Detection: Continuous analysis of session behaviour identifies credential compromise, session hijacking, account takeover attempts, and automated attacks with high accuracy and low false positive rates.

  • Impossible Travel Detection: Geographic analysis of login locations identifies physically impossible travel patterns, triggering step-up authentication or session termination based on configured policies.

  • Automated Threat Response: Configurable response actions automatically execute when threats are detected, including session termination, mandatory re-authentication, account lockout, and administrator notification.

How It Works#

Session Lifecycle#

  1. Authentication: The user provides credentials and completes any required MFA or FIDO2 challenges. Device fingerprinting and geolocation validation assess the risk level of the login attempt.

  2. Session Creation: Upon successful authentication, the system issues short-lived access tokens and longer-lived refresh tokens stored in host-only cookies. Session metadata records the device, location, and authentication method.

  3. Active Session: During the session, continuous monitoring validates device integrity, tracks location consistency, and analyses behavioural patterns. Activity-based session extension keeps sessions alive during active use.

  4. Token Refresh: Access tokens are automatically refreshed before expiration. Each refresh validates device consistency, IP continuity, and threat intelligence status. Refresh tokens are rotated with each use.

  5. Session Termination: Sessions end through explicit logout, idle timeout, administrative action, or threat detection. All associated tokens are immediately revoked and the event is logged.

Multi-Device Management#

Users have full visibility into their active sessions:

  • View all active sessions with device type, location, and last activity
  • Name and categorise devices for easy identification
  • Terminate individual sessions or log out from all devices
  • See when new devices access their account
  • Review session history and security events

Threat Detection#

The session management system continuously monitors for:

  • Credential Compromise: Checks against known breached credential databases, detects password spraying and credential stuffing patterns
  • Session Hijacking: Token replay detection, duplicate session identification, session fixation prevention
  • Account Takeover: Impossible travel, behavioural anomalies, sudden privilege escalation, unusual data access patterns
  • Automated Attacks: Bot detection, distributed attack identification, progressive throttling

When threats are detected, configurable response chains execute automatically, including session termination, step-up authentication requirements, account lockout, and security team notification.

Open Standards#

  • RFC 7519 (JSON Web Tokens): Access tokens and refresh tokens are issued as JWTs carrying standard claims (iss, sub, aud, exp, iat, jti, amr, auth_time); refresh token rotation invalidates each token after a single use to detect replay.
  • RFC 6749 (OAuth 2.0): The authorisation framework governs token issuance, refresh flows, redirect URI validation, and the client credential patterns used throughout the session lifecycle.
  • W3C Web Authentication (WebAuthn) Level 3 / FIDO2: Passkey credentials are registered and verified against a WebAuthn server; FIDO2 authenticators are supported at initial login and for step-up challenges during an active session.
  • OpenID Connect Core 1.0: Federated SSO login and identity-provider integration use OIDC; amr and auth_time claims are evaluated when enforcing step-up authentication requirements.
  • RFC 7517 (JSON Web Key Sets): Token verification consumes a JWKS endpoint to resolve the RS256 signing key by kid, with a refresh-on-miss strategy to handle key rotation without service disruption.
  • RFC 9421 (HTTP Message Signatures): Service-to-service requests between the middleware and auth service are signed and verified using HTTP Message Signatures to prevent request forgery at the transport layer.
  • OWASP Application Security Verification Standard (ASVS) 5.0: Session controls including concurrent session limits, idle and absolute timeouts, host-only cookie attributes (HttpOnly, SameSite), and user-enumeration mitigations are implemented in accordance with ASVS V3 and V6 requirements.

Compliance#

Session management supports compliance with:

  • SOC 2: Authentication controls, session management, and monitoring
  • ISO 27001: Access control and secure authentication requirements
  • PCI-DSS: Session timeout and authentication requirements
  • HIPAA: Automatic logoff and session management for ePHI systems
  • GDPR: Authentication security and data access controls
  • FedRAMP: Session management and authentication requirements

Availability#

  • Enterprise Plan: Full session management suite included
  • Professional Plan: Core session management included; advanced threat detection and multi-device management available as add-on

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.