Session management
See where you're signed in, sign out other devices, force a sign-out everywhere.
Overview
Each sign-in creates a session. Sessions track the device, IP, last-active time. If you suspect a session you didn't create, terminate it.
Prerequisites
- Authenticated session (you're already signed in)
Steps
Open Sessions. Avatar → My Profile → Sessions, or Settings → Sessions.
Read the list. Each row: device fingerprint (e.g. Chrome on macOS), IP address, last active. Your current session is highlighted.
Spot suspicious entries. Sessions from countries you don't operate in, or devices you don't recognise, warrant immediate action.
Sign out a single session. Click Sign out on the row. That session is invalidated immediately; the device is signed out on next request.
Sign out everywhere except this device. Sign out other sessions at the top.
Force complete sign-out. Sign out everywhere including this device. You'll need to re-sign in immediately.
Owner-level inspection. Owner can see all clinic sessions via Settings → Staff → User → Sessions. Useful when offboarding staff.
Set session timeout. Settings → Security → Session timeout — auto-sign-out after N minutes of inactivity (default 30, max 240).
Expected outcome
- Sessions list reflects current authenticated devices
- Terminated sessions can no longer make API calls
- Audit log captures terminations
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Session list shows duplicate entries | Same device, multiple browser windows | Each browser tab is a separate session |
| Suspicious session won't sign out | Race condition | Try again; or change password (forces all sessions out) |
| Terminated session keeps making requests | Token cached client-side | Wait 1-2 minutes; tokens are validated server-side at next API call |
| Want longer timeout | Beyond 240 minutes | Not allowed; security policy |
| Owner can't see staff sessions | Staff opt-out | Privacy policy may differ; check with platform support |