Session Settings

The Session Settings page provides full control over how user sessions behave on your QuickBox Pro server. Configure timeout policies, persistence options, concurrent session limits, and perform bulk session operations. The page is organized into four sections, each accessible via sidebar dot-navigation.

Admin only

Session Settings requires admin privileges (admin.sessions.read to view, admin.settings.update to modify). Navigate to Settings > Sessions from the sidebar.

Sections overview

⏱️ Timeouts

Set session timeout, idle timeout, and absolute timeout to control how long sessions last

🍪 Persistence & Cookies

Configure remember-me duration and cookie behavior for persistent login

🔢 Concurrency

Limit how many simultaneous sessions a single user can have active

🔄 Session Operations

Force logout all users by bulk-invalidating every active session on the server

Timeouts

Control how long user sessions remain valid:

Session timeout — The maximum duration (in minutes) a session lasts before requiring the user to log in again. This applies regardless of activity
Idle timeout — How long an inactive session persists before expiring. If a user is idle for longer than this period, they are logged out
Absolute timeout — The hard upper limit on session lifetime, after which the session expires regardless of other settings

Quick access

Session timeout and idle timeout are also shown (in summary form) on the General Settings page for quick reference. This page provides the full configuration with additional options.

Persistence and cookies

Configure how sessions persist across browser closures:

Remember me duration — When a user checks “Remember me” at login, their session persists for this duration even after closing the browser
Cookie settings — Control cookie behavior for session persistence

These settings determine the user experience when returning to the dashboard after closing their browser. A longer remember-me duration means less frequent re-authentication, while a shorter duration provides tighter security.

Concurrency

Limit the number of simultaneous active sessions per user:

Maximum concurrent sessions — The maximum number of devices or browsers a single user can be logged into at the same time

When a user exceeds the concurrent session limit, the oldest session is invalidated to make room for the new one. This prevents a single account from being shared across too many devices.

Admin override

The concurrency limit applies to all users including admins. If you frequently access the dashboard from multiple devices, set the limit high enough to accommodate your workflow.

Session operations

Perform bulk session management:

Invalidate all sessions — Force logout every user on the server by invalidating all active sessions. This is a destructive operation and requires typing a confirmation phrase before proceeding

Use with care

Invalidating all sessions immediately logs out every user — including yourself. You will need to log in again. Use this when you suspect a security breach or after making significant permission changes that should take effect immediately.

Settings reference

Setting	Section	Description
Session timeout	Timeouts	Maximum session duration in minutes
Idle timeout	Timeouts	Duration of inactivity before session expires
Absolute timeout	Timeouts	Hard upper limit on session lifetime
Remember me duration	Persistence	How long persistent sessions last after browser closure
Max concurrent sessions	Concurrency	Maximum simultaneous sessions per user
Invalidate all sessions	Operations	Bulk force-logout requiring confirmation phrase

Best practices

Do

Set a reasonable idle timeout (15-30 minutes) to automatically log out unattended sessions
Use the concurrency limit to prevent credential sharing — a limit of 3-5 sessions covers most legitimate use cases
Test your timeout settings by logging in from a separate browser before applying them server-wide
Use the bulk invalidation feature after a security incident to force all users to re-authenticate

Don't

Don't set extremely short session timeouts — they create a frustrating experience for users who are actively working in the dashboard
Don't set the concurrent session limit to 1 unless you specifically need single-device enforcement — users who switch between desktop and mobile will be constantly logged out
Don't use bulk session invalidation casually — it disrupts every user on the server
Don't forget that changing session settings may not affect existing sessions immediately — new settings apply to new sessions by default

FAQ

Changes to timeout settings generally apply to new sessions. Existing sessions continue with their original timeout values until they expire naturally. To force all users to use the new settings immediately, use the bulk invalidation feature to log everyone out.

Session timeout sets the absolute maximum duration a session can last, regardless of whether the user is active. Idle timeout ends a session after a period of inactivity. A session expires when either limit is reached, whichever comes first.

The oldest active session is automatically invalidated to make room for the new login. The user is logged out of their oldest device or browser session.

Users can view and manage their own active sessions from the Security tab on their Profile page. Admins can revoke individual user sessions from the User Admin page.

General Settings

Quick session timeout overview and other instance settings

Security Settings

IP bans, firewall rules, and geo-based access control

Your Profile

View and manage your own active sessions

User Admin

Revoke individual user sessions and manage accounts

Join the Community

Media server operators sharing configs, getting support, and shaping the future of QuickBox Pro.

Dedicated Support

Feature Previews

Community Configs

Active Discussions

Join Discord Server