Sessions

LL::NG rely on a session mechanism with the session ID as a shared secret between the user (in SSO cookie) and the session database.

To configure sessions, go in Manager, General Parameters » Sessions:

Store user password in session data: see password store documentation.
Sessions timeout: Maximum lifetime of a session. Old sessions are deleted by a cron script.
Sessions activity timeout: Maximum inactivity duration.

Session activity timeout requires Handlers to have a write access to sessions database.

Opening conditions: rules which are evaluated before granting session. If a user does not comply with any condition, he is prompted a customized message. That message can contain session data as user attributes or macros. The conditions are checked in alphabetical order of comments.
Sessions Storage: see sessions database configuration.
Multiple sessions, you can restrict the number of open sessions:
- One session only by user: a user can not open 2 sessions with the same account.
- One IP only by user: a user can not open 2 sessions with different IP.
- One user by IP address: 2 users can not open a session with the same IP.
- Display deleted sessions: display deleted sessions on authentication phase.
- Display other sessions : display other sessions on authentication phase, with a link to delete them.

Note that since HTTP protocol is not connected, restrictions are not applied to the new session: the oldest are destroyed.