Session Management
Every time you log in from a browser or device, StatusRadar creates a server-side session. Session management lets you see all of your active sessions and revoke any you no longer want β useful after logging in on a shared computer, or if you suspect unauthorized access.
Sessions are managed under Settings β Security (/dashboard/settings?tab=security).
How Sessions Work
- Sessions are server-side and Redis-backed, identified by the
STATUSRADAR_SESSIONcookie. - The cookie is
HttpOnly,Secure, andSameSite=None(so you stay logged in after a Stripe redirect). - Revoking a session destroys it on the server immediately β the corresponding browser is logged out on its next request.
Viewing Active Sessions
The Active Sessions list shows each session tied to your account, including the device/browser context and which entry is your current session. Review this list periodically and after using any machine you don't fully trust.
Revoking a Single Session
To log out a specific device, find it in the list and revoke it. The session is destroyed and that browser is signed out.
You cannot revoke the session you are currently using from this list. To end your current session, use Log out instead.
Revoking All Other Sessions
If you want to sign out everywhere except where you are right now β for example after a suspected compromise or a password change β use Revoke All Other Sessions. This destroys every session except your current one, forcing every other device to log in again.
This is a good step to take when:
- You changed your password and want to invalidate older logins (this is not automatic).
- You logged in somewhere and forgot to log out.
- You suspect your account was accessed from a device you don't control.
Relationship to Other Security Controls
- Changing your password does not revoke other sessions automatically. Revoke them explicitly afterward if needed.
- Enabling or disabling 2FA affects future logins, not currently active sessions. Revoke sessions to force re-authentication with the new setting.
- Revoking an API token is separate from sessions β it stops programmatic API access but does not affect browser logins. See API Tokens.
Next Steps
- Account Security Overview - All account security controls
- Two-Factor Authentication - Enable TOTP and manage recovery codes
- API Tokens - Generate, use, and revoke your API token