Session Management
Monitor and control your active login sessions across all devices to maintain account security.Understanding Sessions
A session represents an active login to your QuivaWorks account. Each time you log in from a device or browser, a new session is created.Session Lifetimes
Access Token
1 HourUsed for API requests and active browsing
Refresh Token
24 HoursAllows automatic token renewal without re-login
After 24 hours of inactivity, you’ll need to log in again. This security measure helps protect your account from unauthorized access.
Viewing Active Sessions
See all devices and locations where you’re currently logged in:- Click your profile icon in the bottom left
- Select “Settings”
- Navigate to “Sessions”
Session Information
Each session shows:- Device Type - Operating system (e.g., Macintosh, Windows, Linux)
- Browser - Which browser is being used (e.g., Chrome, Firefox, Safari)
- Location - Geographic location (when available)
- IP Address - The IP address accessing your account
- Expiration - When the session will expire (e.g., “in 14 minutes”)
- Current Session - Marked as “Your session” with a green indicator
Location information may show as “unknown” if geographic data isn’t available for the IP address or if you’re using a VPN or proxy.
Terminating Sessions
Ending a Specific Session
To log out of a specific device:- Navigate to Settings → Sessions
- Find the session you want to end
- Click “Terminate session” for that specific session
Ending All Other Sessions
To log out of all devices except your current one:- Navigate to Settings → Sessions
- Click the “Terminate sessions” button at the top
- Confirm the action
When to Terminate Sessions
Suspicious Activity
Suspicious Activity
Terminate immediately if you see:
- Unfamiliar locations or IP addresses
- Devices you don’t recognize
- Unusual login times
- Sessions you didn’t create
- Change your password immediately
- Review recent account activity
- Enable MFA if not already active
- Consider reviewing incident response procedures
Forgot to Log Out
Forgot to Log Out
If you left yourself logged in:
- Public computer or shared device
- Work computer you no longer have access to
- Lost or stolen device
- Device you sold or gave away
Routine Security
Routine Security
Good security practice:
- Review sessions monthly
- Terminate old or unused sessions
- Clear sessions before traveling
- End sessions on devices you no longer use regularly
Password Changed
Password Changed
After changing your password, consider terminating all sessions to ensure no one with your old password can access your account.
Admin Session Management
Administrators can force users to log out from all their sessions.Logging Out a User (Admin Only)
- Navigate to Account Management → Users
- Click on the user’s email address
- Click the dot menu (three dots)
- Select “Logout”
This immediately terminates all of the user’s active sessions across all devices. The user will need to log in again to access their account.
- User reports their device was stolen
- Suspected account compromise
- Employee leaving the organization
- User forgot to log out on a shared device
- Troubleshooting access issues
Session Security Best Practices
Review Regularly
Check your active sessions at least monthly for any unfamiliar devices or locations
Use MFA
Multi-factor authentication adds protection even if someone gets your session token
Secure Devices
Use device passwords, biometrics, and encryption on devices with active sessions
Public WiFi Caution
Avoid logging in on untrusted networks. Use a VPN if necessary
Additional Security Measures
Enable MFA
Enable MFA
Multi-factor authentication protects your account even if someone steals your session token. See our Authentication Guide.
Use Strong Passwords
Use Strong Passwords
Long, unique passwords make it harder for attackers to gain initial access. Consider using a password manager.
Keep Software Updated
Keep Software Updated
Updated browsers and operating systems have the latest security patches to protect your sessions.
Log Out When Done
Log Out When Done
Especially on shared or public computers, always log out when you’re finished rather than just closing the browser.
Troubleshooting
Session expired unexpectedly
Session expired unexpectedly
Common Causes:
- 24 hours of inactivity passed
- Admin terminated your sessions
- You changed your password
- You cleared browser cookies
Can't see location information
Can't see location information
Why this happens:
- Using VPN or proxy
- Corporate network
- Privacy-focused browser settings
- Geographic data unavailable for IP
Session shows wrong device
Session shows wrong device
Possible Reasons:
- Browser user agent string is generic
- Using browser in compatibility mode
- Remote desktop or virtualization
- Browser extension interfering
Too many active sessions
Too many active sessions
If you see many unexpected sessions:
- Click “Terminate sessions” to end all except current
- Change your password immediately
- Enable MFA if not already active
- Review incident response guide
- Each browser and device creates a separate session
- Mobile apps create their own sessions
- This is normal for users with multiple devices
Session Security Checklist
1
Weekly
- Note any unfamiliar sessions when you log in
- Report suspicious activity immediately
2
Monthly
- Review all active sessions in Settings
- Terminate sessions for devices you no longer use
- Verify all locations and devices are yours
3
After Security Events
- Terminate all sessions after changing password
- Review sessions after suspected compromise
- Check sessions after device loss or theft
4
Best Practices
- Always log out on shared/public computers
- Use MFA for additional protection
- Keep your recovery codes accessible
- Report suspicious sessions to your admin