What are the User Session Management options?

User Session Management feature allows you to better control user sessions on your WordPress site and expire idle sessions and prevent account hijacking and sharing. 

It's composed of the following options:

• User Session Management (Session Hijacking Protection)

  (under Login Protection)

• User/Admin Login Notification Email

  (under Users Protection)

• User Sessions Management tool

  (under Tools menu)

User Session Management options explanations

Option: Session Lifetime Override

This option can be found under the Login Protection feature and helps you to specify how many days after login to automatically force re-login. 

Note: WordPress default is 2 days, or 14 days if you check the "Remember Me" box.

This cannot be less than "1". Default: "2".

Option: Idle Timeout

This option is also a part of the Login Protection feature and helps you to specify how many hours after inactivity to automatically logout user.

If the user is inactive for the number of hours specified, they will be forcefully logged out next time they return.

Set to "0" to turn off this option.

Note: If the user has any browser activity whatsoever, this will affect their automatic logouts e.g. if they leave their browser window open and there are any background (AJAX) requests to the site, this will count as activity.

This is what users get when they:

Close the browser window of the site

Leave the browser window of the site opened and there's no a background requests to the site

Option: User Session Lock

A part of the Login Protection feature, User Session Lock options help you to improve the protection of user sessions against theft and unauthorized access. By configuring the session locks options, you can significantly reduce the risk of user session hijacking.

There are 3 options for locking a WordPress user session:

1. IP Address - locks a user session to their original IP address.
2. Browser - locks a user session to their web browser. The browser's "useragent" is used to determine the browser.
3. Hostname -  locks a user session to the original request hostname.

Options: User/Admin Login Notification Email

These options are part of the User Protection feature.

You can be notified by email every time an administrator user logs into your WordPress site.

Also, a notification can be sent to each user when a successful login occurs for their account.

Read more about this here.

User Sessions Management tool

User Sessions Management tool can be found under the Tools menu.

You can use it to view and manage details of current user sessions on the site.

Example

Let’s say you’re an administrator of a site, and you see that somehow, some way, someone else is logged into the site under your administrator username in another location – you can immediately take action against this.  Without being able to see currently active sessions, you are blind. User sessions simply give you a view on to who is on your site and where they are.

We also recommend you to read

• User Sessions – Who’s Logged Into My WordPress?