Session Management
Configure session duration, manage concurrent sessions, implement forced logout, and maintain security
Session Management
Control active user sessions, configure session timeouts, and manage security across devices and locations.
Understanding Sessions
A session is created when you successfully sign in to MongoDash. It maintains your authenticated state until you sign out, the session expires, or it's revoked.
What Sessions Track
Each session includes:
- Device Information - Browser, operating system, device type
- Location - IP address and approximate geographic location
- Activity - Last active timestamp and current status
- Creation Time - When the session was established
- Expiration - When the session will automatically expire

Viewing Your Active Sessions
Open Account Settings Click your profile picture in the top right, then select Account Settings.
Navigate to Sessions Click the Sessions tab to view all active sessions for your account.

Review Sessions Each active session displays:
- Device and browser information
- IP address and location
- Last active time
- Current session indicator (the device you're using now)
Session Timeout Settings
Sessions automatically expire after a period of inactivity to protect your account.
Default Timeout Periods
| Activity Level | Timeout Duration |
|---|---|
| Active Use | 24 hours (extends with activity) |
| Idle | 2 hours of inactivity |
| Trusted Devices | 30 days (if enabled) |
Timeout settings apply to web sessions. API keys have separate expiration policies managed independently.
Configuring Session Duration
BusinessBusiness and Enterprise plans can customize session timeout policies:
Open Workspace Settings Click your workspace name and select Settings.
Navigate to Security Click Security in the left sidebar.
Configure Session Timeout Under Session Management, set:
- Idle Timeout - Minutes of inactivity before automatic logout (15-120 minutes)
- Maximum Session Duration - Hard limit regardless of activity (1-30 days)
- Remember Me Duration - How long "Remember this device" lasts (7-90 days)

Save Settings Click Save to apply new timeout policies. Existing sessions continue until their current expiration.
Activity Extension
Active sessions automatically extend their timeout with user activity:
- Page Navigation - Moving between workspace pages
- Data Queries - Running queries or viewing collections
- Dashboard Interaction - Viewing or editing dashboards
- Settings Changes - Modifying workspace or account settings
Background activity like auto-refreshing dashboards does not extend session timeout. Interactive user actions are required.
Managing Concurrent Sessions
MongoDash allows multiple simultaneous sessions so you can access your workspace from different devices.
Concurrent Session Limits
| Plan | Maximum Concurrent Sessions |
|---|---|
| Free | 3 sessions |
| Team | 5 sessions |
| Business | 10 sessions |
| Enterprise | Unlimited |
When you exceed the limit, the oldest inactive session is automatically terminated.
Viewing Session Details
Click any session to view detailed information:
- Full user agent string
- Complete IP address
- Session creation timestamp
- Last activity details
- Session token identifier (partial, for reference)

Revoking Sessions
Terminate sessions to protect your account from unauthorized access.
Revoking a Single Session
Identify Suspicious Session In your Sessions list, look for unfamiliar devices or locations.
Revoke Session Click Revoke next to the session you want to terminate.
Revoking a session immediately signs out that device. The user will need to sign in again.
Confirm Confirm the revocation. The session is terminated instantly.
Revoking All Other Sessions
To sign out all devices except your current one:
Click Revoke All On the Sessions page, click Revoke All Other Sessions at the top.
Confirm Mass Revocation Confirm that you want to sign out all devices except your current one.
Your current session (the device you're using now) remains active. All other devices are signed out.
Verify After revocation, only your current session should appear in the active sessions list.

When to Revoke Sessions
Revoke sessions when you:
- Notice unfamiliar device or location
- Lose a device with an active session
- Change your password after a suspected compromise
- Leave a shared or public computer signed in
- Complete work on a temporary device
Forced Logout
BusinessWorkspace administrators can force logout specific users or all users in emergency situations.
Force Logout a Single User
Navigate to Members From workspace settings, click Members in the left sidebar.
Select User Click the user you want to sign out, then click Sessions in their user details.
Revoke User Sessions Click Revoke All Sessions for [User] to immediately sign them out from all devices.

Notify User The user receives an email notification that their sessions were revoked and they need to sign in again.
Force Logout All Users
EnterpriseIn security emergencies, Enterprise plans can sign out all workspace users:
- Navigate to Workspace Settings and Security
- Under Emergency Controls, click Force Logout All Users
- Confirm the action and provide a reason
- All workspace sessions are immediately terminated
- Users receive email notification of the forced logout
Force logout all users only in genuine security emergencies. This disrupts all active work and should not be used routinely.
Trusted Devices
Mark frequently-used devices as trusted to extend session duration and reduce 2FA prompts.
Enabling Trusted Devices
When signing in, check Trust this device for 30 days to:
- Extend session duration to 30 days with activity
- Skip 2FA codes on subsequent logins (device still requires password)
- Maintain session across browser restarts
Only trust devices you control completely. Never trust shared, public, or work devices you don't own.
Managing Trusted Devices
View and remove trusted devices:
- Go to Account Settings and Sessions
- Click the Trusted Devices tab
- View all devices marked as trusted
- Click Remove Trust to require 2FA on next login

Session Security Best Practices
Sign Out When Finished
Always sign out when you're done working, especially on:
- Shared computers
- Public wifi networks
- Temporary or borrowed devices
- Work computers you don't own
Review Sessions Regularly
Check your active sessions weekly:
- Verify all sessions are yours
- Revoke old or unfamiliar sessions
- Remove trust from devices you no longer use
Use Strong Passwords
Session security depends on password strength:
- Use unique passwords for MongoDash
- Enable 2FA for additional protection
- Change passwords immediately if compromised
Monitor Session Alerts
EnterpriseEnterprise plans receive alerts for suspicious session activity:
- New session from unusual location
- Multiple failed login attempts
- Session created after password change
- Concurrent sessions exceeding normal patterns
Session Lifecycle
Creation
A new session is created when you:
- Sign in with email and password
- Complete 2FA verification (if enabled)
- Accept any workspace-specific policies
Extension
Sessions extend automatically during:
- Active use of the workspace
- Query execution
- Dashboard interactions
- Settings modifications
Expiration
Sessions expire when:
- Idle timeout is reached (default 2 hours)
- Maximum duration is exceeded
- User explicitly signs out
- Session is revoked by user or admin
- Password is changed (all sessions revoked)

Workspace Session Policies
BusinessAdministrators can enforce workspace-wide session policies:
Idle Timeout Policy
Configure maximum idle time before automatic logout:
- 15 minutes - High security environments
- 30 minutes - Standard security (recommended)
- 1 hour - Balanced security and convenience
- 2 hours - Maximum allowed
Maximum Session Duration
Set hard limits on session lifetime:
- 8 hours - Single work day
- 24 hours - Allow overnight sessions
- 7 days - Weekly rotation
- 30 days - Maximum allowed
Geographic Restrictions
EnterpriseLimit sessions to specific geographic regions:
- Block sessions from sanctioned countries
- Restrict to corporate VPN locations
- Alert on sessions from unexpected regions
Troubleshooting Sessions
Frequent Automatic Logouts
If you're being signed out too frequently:
- Check workspace session timeout settings
- Ensure your activity is interactive (not just background refreshes)
- Verify your device isn't clearing cookies automatically
- Check if workspace has strict security policies
Unable to Sign Out Old Sessions
If you can't revoke old sessions:
- Wait for automatic expiration (max 30 days)
- Change your password to revoke all sessions
- Contact workspace admin for forced revocation
Session Revoked Unexpectedly
Your session may be revoked due to:
- Workspace administrator action
- Password change by you or admin
- Security policy enforcement
- Concurrent session limit reached
If your session is repeatedly revoked without explanation, check with your workspace administrator about security policies.
What's Next?
- Two-Factor Authentication - Add extra security to your sessions
- Audit Logs - Review session creation and revocation events
- User Permissions - Understand what authenticated sessions can access