Configure session management

Configure session management

A web session refers to an authenticated instance of your Zoho One account. Put simply, a web session is created every time you sign in to your account from a browser or device, and is closed when you sign out. Signing in from your laptop is considered a web session. Signing in from a different browser in the same laptop is considered a separate web session, and signing in from a mobile browser is also considered a web session. However, signing in from a native mobile app is not considered a web session.

Unaccounted web sessions can pose serious threats to your security, which is why managing your users' sessions is an essential part of organizational administration.

The major problem posed by unaccounted sessions is that as end users, it's easy to lose track of how many unsafe browsers or devices you're currently signed in from. Let's take a look at an example. Jacalyn is a sales representative at Zylker. Due to the nature of her job, she travels around a lot and often connects to work remotely. She usually uses her laptop to connect, and sometime her mobile phone. Since those are personal devices, she never signs out of them. On rare occasions, she connects from internet cafes, and out of habit she does not sign out from them either. Now she has three active sessions, one of which is in a public computer, open for anyone to access. Jacalyn has now put her account and her organization at risk.

Zoho One's session management enables you to protect your organization from these unaccounted sessions, with these three settings:
  1. Session Lifetime: This setting automatically signs your users out of a session after the specified number of days. If Zylker's admin set the session lifetime as 30 days, Jacalyn will be forced to re-authenticate herself every month. If she buys a new mobile phone and sells her old one without signing out of it, the session will automatically expire in at most a month.
  2. Idle Session Timeout: This setting automatically signs your users out of a session if they haven't used it in the specified time period. For example, if Zylker's admin set the idle session timeout as one hour, Jacalyn's public computer session will automatically expire an hour after she stops using it, reducing the risk.
  3. Concurrent Sessions: This setting specifies how many browsers or devices a user can be signed in from at a time. For example, if Zylker's admin set the concurrent session as two, Jacalyn would be able to sign in from only two devices at a time. Once she comes back from the public computer and starts using her regular devices, she'll automatically be signed out of the public computer, preventing any security incidents.
Note: The configured settings will apply only to the sessions created by a user after the policy is applied to them.

In the mobile application: 

  1. Open the Zoho One app on your mobile device, then tap  in the top-right.
  2. Tap  in the bottom-right, then tap Security Policies.
  3. Tap the required security policy, then tap Advanced Settings.
  4. Set the Session LifetimeIdle Session Timeout, and Concurrent Sessions.
    1. Session Lifetime: This setting automatically signs your users out of a session after the specified number of days.
    2. Idle Session Timeout: This setting automatically signs your users out of a session if they haven't used it in the specified time period.
    3. Concurrent Sessions: This setting specifies how many browsers or devices a user can be signed in from at a time. 

In the web application:

  1. Sign in to Zoho One , the click Directory in the left menu.
  2. Go to Security, click Security Policies, then click on the policy you want to configure.
  3. Go to Advanced Settings, then set the Session LifetimeIdle Session Timeout, and Concurrent Sessions.
Note: To manually manage the sessions of individual users, use the Account Activity tab in their user information page.

    • Related Articles

    • Add security policy

      In the mobile application: Open the Zoho One app on your mobile device, then tap  in the top-right. Tap  in the bottom-right, then tap Security Policies. Tap Add, then enter the Policy Name.  Choose the groups the policy will be applied to. To ...
    • Configure password policy

      Passwords are the most commonly used authentication factor. Many users reuse the same, insecure password for all their online accounts, compromising their organization's security. To protect yourself from this common pitfall, make it mandatory for ...
    • Delete a security policy

      When a security policy is deleted, the priorities of the remaining policies will be reordered and applied accordingly. Learn more about policy priority. In the mobile application:  Open the Zoho One app on your mobile device, then tap  in the ...
    • Security Policies - Overview

      Security policies are a set of customizable rules that govern how your users can authenticate themselves. They consist of four components: Password policy: This component dictates how strong the users' passwords must be and how often they have to be ...
    • Apply an existing security policy to new groups

      When applying a policy to a new group, remember to take the policies already applied to the group into account. When a group has multiple security policies, they will be applied based on the policy priority. In the mobile application:  Open the Zoho ...