Session Security

RTC Collector implements multi-device session management with tracking, monitoring, and revocation capabilities. You can view all active sessions, log out from specific devices, or terminate all sessions at once for maximum security.

Overview

Session security features:

• Multi-Device Tracking - See all devices logged into your account
• Session Details - IP address, device type, browser, location, last activity
• Individual Revocation - Log out from specific devices
• Mass Logout - Log out from all devices at once
• Session Expiration - Automatic logout after 24 hours (or 30 days with "Remember Me")
• Security Monitoring - Track suspicious login activity
• Device Recognition - Identify each device and browser

How Sessions Work

Session Creation (Login)

When You Log In:

1. Enter email/username and password
2. Complete 2FA if enabled
3. Optionally check "Remember Me"
4. Server generates JWT (JSON Web Token)
5. JWT stored in HTTP-only cookie
6. Session record created in database

What Gets Tracked:

• User ID - Links session to your account
• JWT Token - Encrypted authentication token
• IP Address - Your current IP (sourced from x-forwarded-for, x-real-ip, or socket)
• User Agent - Browser and OS information
• Device Info - Parsed device type and browser
• Expiration Time - When session expires
• Creation Time - When you logged in
• Last Activity - Most recent API request

Device Info Detection

Device Types:

• Mobile Device - Detected from "Mobile", "Android", "iPhone" in user agent
• Tablet - Detected from "Tablet", "iPad" in user agent
• Desktop - All other devices (laptops, desktops)

Browser Detection:

• Chrome - Google Chrome (excluding Edge)
• Firefox - Mozilla Firefox
• Safari - Apple Safari (excluding Chrome-based)
• Edge - Microsoft Edge
• Opera - Opera browser

Example Device Info:

• "Mobile Device - Chrome"
• "Desktop - Firefox"
• "Tablet - Safari"
• "Desktop - Edge"

Session Tokens

JWT (JSON Web Token):

• Generated on login
• Signed with JWT_SECRET (min 32 characters)
• Contains user ID and expiration
• Cannot be tampered with
• Verified on every API request

Token Expiration:

• Standard Login: 24 hours
• Remember Me: 30 days

Token Storage:

• Stored in HTTP-only cookie
• Cookie name: token
• Secure flag in production
• SameSite: Strict (CSRF protection)

Cookie Settings:

{
  httpOnly: true,            // Cannot be accessed by JavaScript
  secure: true,              // HTTPS only (in production)
  sameSite: 'strict',        // No cross-site requests
  maxAge: 24h or 30d         // Expiration time
}

Viewing Active Sessions

Access Sessions Page

Navigate to Sessions:

1. Go to Settings (Click profile → Settings)
2. Click Security tab
3. Scroll to Active Sessions section

Alternative Method:

• Settings → Security → Active Sessions

What You See

Each session displays:

Device Information:

• Device type (Mobile, Tablet, Desktop)
• Browser name (Chrome, Firefox, Safari, Edge, Opera)

Network Information:

• IP address (e.g., "192.168.1.100")
• Approximate location (if available)

Activity Information:

• Created: When you logged in
• Last Activity: Most recent API request time
• Expires: When session will auto-expire

Current Device:

• Session for your current device shows "This Device" label
• Cannot revoke your current session (would log you out)

Example:

Desktop - Chrome
IP: 203.0.113.45
Last Activity: 2 minutes ago
Created: Today at 10:30 AM
Expires: Tomorrow at 10:30 AM

[Revoke Session Button]

Sorting and Filtering

Default Sort: Last Activity (descending)

• Most recent activity appears first
• Current device usually at top

Active Sessions Only:

• Only shows sessions with isActive = true
• Only shows sessions with expiresAt > now
• Expired sessions automatically hidden

Revoking Sessions

Revoke Individual Session

Steps:

1. Go to Settings → Security → Active Sessions
2. Find the session to revoke
3. Click Revoke Session button
4. Confirm revocation

What Happens:

• Session marked as inactive (isActive = false)
• JWT token invalidated
• Device logged out immediately
• Session no longer appears in active list
• User on that device sees "Logged out" message

Immediate Effect:

• Next API request from that device fails
• User redirected to login page
• Must log in again to regain access

Use Cases:

• Log out from forgotten device
• Terminate session on public computer
• Remove access from lost/stolen device
• Clean up old sessions

Logout from All Devices

Steps:

1. Go to Settings → Security
2. Click Logout from All Devices button
3. Read warning carefully
4. Click Confirm

What Happens:

• ALL sessions marked inactive
• ALL JWT tokens invalidated
• Current session also terminated
• You're logged out immediately
• Redirected to login page
• Must log in again

Warning: This logs you out from EVERY device, including your current one. You'll need to log in again on all devices.

Use Cases:

• Suspect account compromise
• Change password and force re-authentication
• Revoke all access immediately
• Security precaution after data breach
• Clean slate for session management

Session Expiration

Automatic Expiration

Standard Login (24 hours):

• Expires exactly 24 hours after login
• No activity extension
• Must log in again after expiration

Remember Me (30 days):

• Expires 30 days after login
• Checkbox on login page
• Longer session for trusted devices
• Still requires re-auth after 30 days

Expired Session Behavior:

• Session marked expired automatically
• API requests fail with 401 Unauthorized
• User redirected to login page
• Session removed from active sessions list

Manual Logout

Single Device Logout:

• Click logout button in app
• Clears JWT cookie
• Marks session inactive
• Immediate effect

Session Persistence:

• Closing browser doesn't log you out
• Session persists across browser restarts
• Only manual logout or expiration ends session

Security Monitoring

Identifying Suspicious Activity

Red Flags:

• Unrecognized device in sessions list
• Sessions from unexpected locations
• Multiple sessions from different countries
• Sessions on devices you don't own
• High number of active sessions

Investigation Steps:

1. Review all active sessions
2. Check IP addresses and locations
3. Verify device types and browsers
4. Check last activity times
5. Identify unrecognized sessions

Action Steps:

• Revoke suspicious sessions immediately
• Change your password
• Enable 2FA if not already active
• Review account activity
• Contact support if compromise suspected

Session Audit

Regular Review:

• Check active sessions weekly
• Remove old/forgotten sessions
• Verify all devices are yours
• Monitor for unusual activity

Best Practices:

• Keep active sessions to a minimum
• Log out from public computers
• Revoke sessions when changing passwords
• Enable 2FA for additional protection

Security Best Practices

For Maximum Security

1. Enable Two-Factor Authentication:

• Adds second layer of protection
• Prevents unauthorized login even if password stolen
• See Security Settings for 2FA setup

2. Use Strong Passwords:

• Minimum 8 characters
• Mix of letters, numbers, symbols
• Unique password (not used elsewhere)
• Change periodically (every 6-12 months)

3. Regular Session Review:

• Check active sessions weekly
• Revoke unrecognized sessions immediately
• Keep session count reasonable
• Log out from unused devices

4. Secure Your Devices:

• Use device passwords/biometrics
• Keep software updated
• Use trusted networks
• Avoid public WiFi for account access

5. Monitor Login Activity:

• Review new login notifications
• Check for unexpected logins
• Verify IP addresses and locations
• Report suspicious activity

For Shared Computers

Always:

• Use incognito/private browsing mode
• Never check "Remember Me"
• Log out after each session
• Clear browser data when done

Never:

• Leave browser open and unattended
• Save password in browser
• Stay logged in overnight
• Share login credentials

For Mobile Devices

Recommended:

• Use device biometric lock
• Install from official app stores only
• Keep OS and apps updated
• Enable remote wipe capabilities

If Lost/Stolen:

1. Go to Settings → Security on another device
2. Review active sessions
3. Revoke the mobile device session
4. Change your password
5. Contact support if needed

Troubleshooting

Session Not Showing

Causes:

• Session expired (>24h or >30d)
• Device logged out
• Session revoked by another device
• Database sync issue

Fix:

• Refresh page
• Log in again if needed
• Check if you're on correct account

Cannot Revoke Session

Causes:

• Trying to revoke current session
• Session already revoked
• Network connectivity issue
• Permission error

Fix:

• Use "Logout from All Devices" instead
• Try from different device
• Check internet connection
• Contact support if persists

Too Many Active Sessions

Causes:

• Multiple devices/browsers
• Failed to log out properly
• Browser sessions across profiles
• Automatic login enabled

Fix:

• Click "Logout from All Devices"
• Log in again on needed devices
• Always log out when finished
• Disable auto-login features

Session Expired Too Quickly

Causes:

• Didn't check "Remember Me"
• Standard 24-hour expiration
• Server time sync issue
• Token regeneration policy

Fix:

• Check "Remember Me" on login
• Accept 24-hour expiration as security measure
• Re-authenticate when prompted
• Sessions expire for security

IP Address Shows Incorrectly

Causes:

• Using VPN or proxy
• Shared network IP
• ISP assigned different IP
• Geolocation database outdated

Fix:

• Normal behavior with VPNs/proxies
• IP shows network gateway, not exact location
• Verify other session details (device, browser)
• Contact support if completely wrong

Device Info Shows "Unknown"

Causes:

• Privacy browser settings
• User agent spoofing
• Unusual browser/device
• Parsing error

Fix:

• Check other session details
• Use standard browsers for better detection
• Device still tracked by IP and token
• Contact support if concerned

FAQ

How long do sessions last?

24 hours by default, or 30 days if "Remember Me" checked at login.

Can I extend a session before it expires?

No. Sessions have fixed expiration. You must log in again after expiration for security.

Do sessions work across browsers?

No. Each browser gets its own session. Logging out in Chrome doesn't affect Firefox.

What happens if someone logs in with my password?

You'll see a new session in your active sessions list. Revoke it immediately and change your password.

Can I set custom session expiration?

No. Expiration is fixed at 24 hours (standard) or 30 days (remember me) for security and consistency.

Does closing the browser log me out?

No. Sessions persist across browser restarts. Only manual logout or expiration ends a session.

Can I name or label sessions?

Not currently. Sessions identified by device info, IP, and browser automatically.

What if I see a session I don't recognize?

Revoke it immediately, change your password, enable 2FA, and review account activity for unauthorized changes.

Do expired sessions get deleted?

Yes, expired sessions (isActive = false or expiresAt < now) are filtered from the active sessions list and eventually purged from the database.

Can I be logged in on multiple devices?

Yes. Unlimited concurrent sessions across devices. Each device gets its own session.

What's the difference between logout and revoke?

Logout: You manually log yourself out (current device only). Revoke: You remotely log out another device/session.

Does VPN use affect sessions?

VPN changes your IP address, so sessions will show the VPN IP. Device info and other details remain the same.

Related Topics

• See Security Settings for 2FA setup and password management
• See Privacy & Data Export for account privacy controls
• See Account Settings for general account management