Session Management
When a user signs in to your application through Aero2, a session is created. Sessions track the user's authenticated state and are managed via secure HttpOnly cookies.
Session Properties
Each session records the following information:
| Property | Description |
|---|---|
| Session ID | Unique identifier for the session |
| User agent | Browser and OS information |
| IP address | The IP address used at sign-in |
| Created at | When the session was established |
| Last activity | When the session was last used |
API Endpoints
List active sessions
Retrieve all active sessions for the currently authenticated user:
curl https://your-app.aero2.dev/api/sessions \
-H "Authorization: Bearer <access_token>"Revoke a specific session
End a single session by its ID:
curl -X DELETE https://your-app.aero2.dev/api/sessions/:id \
-H "Authorization: Bearer <access_token>"Revoke all sessions
End all sessions for the current user (useful if the user suspects their account is compromised):
curl -X POST https://your-app.aero2.dev/api/sessions/revoke-all \
-H "Authorization: Bearer <access_token>"Sign out current session
End the current session (the one associated with the request):
curl -X POST https://your-app.aero2.dev/api/auth/signout \
-H "Authorization: Bearer <access_token>"Admin Session Management
When an administrator disables a user account, all of that user's active sessions are automatically revoked. This ensures disabled users are immediately signed out across all devices.
Session Configuration
:::info Coming Soon This feature is under active development. The design below reflects our planned implementation. :::
Configurable session settings are planned, including:
- Inactivity timeout — Automatically end sessions after a period of no activity
- Absolute timeout — Maximum session lifetime regardless of activity
- "Remember me" option — Allow users to opt into longer-lived sessions