What are the User Session Management options?

User Session Management feature allows you to better control user sessions on your WordPress site and expire idle sessions and prevent account sharing. 

Example

Let’s say you’re an administrator of a site, and you see that somehow, some way, someone else is logged into the site under your administrator username in another location – you can immediately take action against this.  Without being able to see currently active sessions, you are blind. User sessions simply give you a view on to who is on your site and where they are.

User Session Management options explanations

Option: Session Timeout

This option helps you to specify how many days after login to automatically force re-login. 

Note: WordPress default is 2 days, or 14 days if you check the "Remember Me" box.

This cannot be less than "1". Default: "2".

Option: Idle Timeout

This option helps you to specify how many hours after inactivity to automatically logout user.

If the user is inactive for the number of hours specified, they will be forcefully logged out next time they return.

Set to "0" to turn off this option.

Note: If the user has any browser activity whatsoever, this will affect their automatic logouts e.g. if they leave their browser window open and there are any background (AJAX) requests to the site, this will count as activity.

This is what users get when they:

Close the browser window of the site

Leave the browser window of the site opened and there's no a background requests to the site

Option: User Session Lock

User Session Lock feature helps you to improve the protection of user sessions against theft and unauthorized access. By configuring the session locks options, you can significantly reduce the risk of user session hijacking.

There are 3 options for locking a WordPress user session:

  1. IP Address - locks a user session to their original IP address.
  2. Browser - locks a user session to their web browser. The browser's "useragent" is used to determine the browser.
  3. Hostname -  locks a user session to the original request hostname.

Read more about these options here.

Note: If you'd like to view and manage details of current user sessions on the site, you may use User Sessions Management tool detailed here.