User Sessions and Stay Logged In

Introduction

The platform implements a robust session management system that maintains the user's authenticated state across their browsing experience. It balances security and convenience, allowing users to stay logged in without frequent interruptions while applying strong security controls.

How Sessions Work

Session Duration and Expiration

Sessions expire after 2 hours of inactivity. If the user doesn't interact with the platform during that time, the session is automatically closed. This protects against unauthorized access from abandoned sessions while supporting normal usage patterns.

"Remember Me" Functionality

Most login flows on the platform — except for ephemeral methods like IP-based, Referer, LTI, or SAML — support persistent sessions via a refresh token:

Creates a secure token with a 30-day lifespan
Allows automatic login restoration after session timeout
Rotates the token upon use to improve security
Enables longer access periods without compromising safety

Session Limits

Configuring Session Limits

Store administrators can control how many simultaneous sessions users can maintain:

Global Setting: Configure the default session limit for all users in Advanced Settings > Users
Individual Override: Set specific limits for individual users that override the global setting

How Limits Work

When both settings are configured, the system prioritizes individual user settings over global defaults:

If a user has a specific limit set, that limit applies regardless of the global setting
If a user's limit is not set, the global default applies
Setting a user's limit to 0 prevents them from logging in entirely

Common Scenarios

URL Referrer Integrations: Users created through referrer integrations may have individual session limits that differ from your global settings. Check individual user configurations if referrer users cannot access content.

Session Management Features

Session Visibility

Users can review their active sessions under My Account, including:

Device and browser type
Last activity timestamps
IP and geolocation
Ability to end individual sessions

Super Admins can view user sessions via the admin dashboard at /nova/resources/auth-sessions.

Automated Session Maintenance

The system performs regular cleanup to:

Mark inactive sessions
Purge sessions that are no longer valid or restorable
Enforce retention policies
Improve system performance over time

Guest Session Handling

The platform also assigns temporary sessions to unauthenticated visitors for:

Shopping cart persistence
Analytics and behavior tracking
A seamless transition to logged-in experiences

Guest sessions don't use refresh tokens and expire quickly after inactivity.

Usage Scenarios

Multi-Device Access

The platform supports multiple concurrent sessions per user. This means:

Users can stay logged in on mobile and desktop
Sessions are isolated per device
Each session can be independently revoked
Users have full visibility into where they're logged in

Session Recovery

Sessions timeout after 2 hours of inactivity.

When users return:

Within 2 hours → The session continues seamlessly
After 2 hours, with refresh token → The session is automatically restored in the background
After 2 hours, without refresh token → Login is required again

For detailed technical implementation information, including data models, security considerations, and system architecture, see the User Session Architecture engineering documentation.

Introduction​

How Sessions Work​

Session Duration and Expiration​

"Remember Me" Functionality​

Session Limits​

Configuring Session Limits​

How Limits Work​

Common Scenarios​

Session Management Features​

Session Visibility​

Automated Session Maintenance​

Guest Session Handling​

Usage Scenarios​

Multi-Device Access​

Session Recovery​

Related Documentation​

Graph View