Skip to main content

Sessions

Sessions are managed by tokens, which are stored in the database tokens collection.
  1. User logs in
  2. User receives token
  3. Further requests initiated from the UI supply the token as the user’s security credentials

Expiration

See /api/models/Tokens.php - there is a function that bumps the expiration date of the supplied Token object. This means that, whilst someone is using the platform, the tokens cannot expire. If, however, someone leaves the session alone for the expiry threshold (TTL is currently 8 hours), the session will be expired. This is done by the Mongo expire-data functionality which was set in migration 112155747_tokens_auto_ttl_expire.js. Mongo will then automatically delete the token. To discourage session sniffing, a session may also be destroyed if a user’s browser or IP address changes.
Back to docs index | Next page in recommended reading order >>