Guide

User Sessions

Suggest Edits

Introduction

The term user session refers to a series of user application interactions that are tracked by the server. Sessions are used for maintaining user specific state and authenticated user identities, among many interactions. For example, a session could be used to track a validated user login followed by a series of directed activities for a particular user.

Aurora Session Management

When administrator logs into the backend, a new user session is created. The session itself resides on the server. For each request, the client transmits the session ID from a cookie stored in the browser. Aurora will validate the session identity provided by the browser cookie and compare this to the available sessions on the server. If the session identity matches, the authenticated page is displayed, without the need for re-authentication.

🚧

The Session ID should never be used in templates or disclosed to the public eye. See the documentation on Visitor UID below for an alternative.

This is due to the security risk this poses to the user's session. Doing so could compromise a user's session's security, allowing access to their currently logged-in session and so any permissions that this includes.

Visitor UID

If you wish to get an identifier for a user you may use the $visitor_uid variable in templates. With this variable, you will be able to identify a user between multiple different orders. The Visitor UID will persist if a user logs in, however, it will refresh if the user is logged out. Otherwise, it will persist for up to 1 year.

The Visitor UID is stored against orders as an Order Additional Field.

Security Features

The following features are implemented in Aurora's session handling. These features are designed to mitigate various session related security exploits.

Automatic logout of user accounts

Aurora will automatically logout inactive browser windows after 60 minutes of inactivity.

Automatic logout is used to protect site content from unauthorised access if a computer has been inadvertently left unlocked when someone has stepped away or isn’t using their computer. The user will be redirected to the login page for any session that has exceeded the inactivity period.

Once logged in, users can see the current inactivity period from all pages, by hovering over the user top level icon at the top right of the main navigation.

This menu will display a drop down information panel, where the amount of time remaining before auto logout is initiated is displayed.

The automatic logout time will be reset after each page request.

Concurrent Sessions

User concurrent sessions refer to the number sessions a user can have open and active for an Administrator account. Users could create multiple user sessions as they log in to an account from different browser types and devices. By default, Aurora prevents concurrent sessions for Administrator users.

When a user attempts to authenticate more than once, the user will be automatically signed out of their oldest inactive session.

Updated over 2 years ago