Prerequisites
Permissions required to perform this action :
A web session refers to an authenticated instance of your Zoho Directory account. To put it simply, a web session is created every time you sign in to your account from a browser or device, and is closed when you sign out. Signing in from your laptop is considered a web session. Signing in from a different browser in the same laptop is considered a separate web session and signing in from a mobile browser is also considered a web session. However, signing in from a native mobile app is not considered a web session.
Unaccounted web sessions can pose serious threats to your security, which is why managing your users' sessions is an essential part of organizational administration.
The major problem posed by unaccounted sessions is that as end users, it's easy to lose track of how many unsafe browsers or devices you're currently signed in from. Let's take a look at an example. Jacalyn is a sales representative at Zylker. Due to the nature of her job, she travels around a lot and often connects to work remotely. She usually uses her laptop to connect, and sometimes her mobile phone. Since those are personal devices, she never signs out of them. On rare occasions, she connects from internet cafes, and out of habit she does not sign out from them either. Now she has three active sessions, one of which is in a public computer, open for anyone to access. Jacalyn has now put her account and her organization at risk.
Zoho Directory's session management enables you to protect your organization from these unaccounted sessions, with these three settings:
- Session Lifetime: This setting automatically signs your users out of a session after the specified number of days. If Zylker's admin sets the session lifetime as 30 days, Jacalyn will be forced to re-authenticate herself every month. She buys a new mobile phone and sells her old one. Even if she forgot to sign out of it, the session will automatically expire in at most a month.
- Idle Session Timeout: This setting automatically signs your users out of a session if they haven't used it in the specified time period. For example, if Zylker's admin set the idle session timeout as one hour, Jacalyn's public computer session will automatically expire an hour after she stops using it, reducing the risk.
- Concurrent Sessions: This setting specifies how many browsers or devices a user can be signed in from at a time. For example, if Zylker's admin set the concurrent sessions as two, Jacalyn would be able to sign in from only two devices at a time. So once she comes back from the public computer and starts using her regular devices, she'll automatically be signed out of the public computer, preventing any security incident.
Note: The configured settings will apply only to the sessions created by a user after the policy is applied to them.
To configure session management:
- Sign in to Zoho Directory , then click Admin Panel in the left menu.
- Go to Security, click Security Policies, then click on the policy you want to configure.
- Go to Advanced Settings, then set the Session Lifetime, Idle Session Timeout, and Concurrent Sessions.