Skip to main content

Session Management

O.D.I.N. uses JWT-based sessions with server-side tracking, enabling you to view all active sessions and revoke them individually or all at once.

How Sessions Work

When you log in, O.D.I.N.:

  1. Creates a JWT with a unique jti (JWT ID) claim
  2. Stores the jti in the active_sessions table alongside your IP address, user agent, and timestamps
  3. Sets the JWT as an httpOnly, Secure, SameSite=Strict cookie — the browser sends it automatically but JavaScript cannot read it (XSS-resistant)

Session expiry is 24 hours from creation. The active_sessions table records last_seen_at on each authenticated request.

WebSocket Tokens Are Scoped

The WebSocket endpoint (/ws) issues a short-lived token scoped exclusively to WebSocket connections. This token cannot be replayed against REST API endpoints. This prevents WebSocket token theft from granting access to the full API. (Introduced in v1.3.63)

Viewing Active Sessions

  1. Go to Settings → Account → Sessions
  2. The active sessions list shows:
    • Device (user agent string, simplified)
    • IP address
    • Session created timestamp
    • Last seen timestamp

Only your own sessions are visible by default. Admins can view and revoke sessions for any user under Settings → Access → Users → [User] → Sessions.

Revoking Sessions

Revoke a Single Session

Click Revoke next to any session entry. The jti is immediately added to the token_blacklist table. Any subsequent request with that token returns 401 Unauthorized.

Revoke All Sessions

Click Revoke All Sessions to invalidate every active session for your account. This is useful if you suspect your account is compromised.

Admins can revoke all sessions for any user.

Automatic Revocation Triggers

Some actions automatically revoke all existing sessions:

TriggerBehaviorVersion
Password changeAll sessions revoked; you must log in againv1.3.66
MFA token useThe MFA pending token is immediately blacklisted after usev1.3.63
Admin disables MFAExisting sessions continue (only MFA config changes)
Account locked outNew logins blocked; existing sessions are not revoked automatically

Token Blacklist Mechanics

The token_blacklist table stores revoked jti values with their expiry timestamps. On every authenticated request, O.D.I.N. checks if the token's jti is in the blacklist before allowing access.

The blacklist is pruned automatically of expired entries to prevent unbounded growth. Entries are kept until the original token's exp claim, after which they can be safely deleted (the token would be invalid by expiry anyway).

See Also