Skip to content
NovaVMS Manual

Review and revoke user sessions

Each user holds up to five concurrent sessions, each tied to one browser or mobile client. You review them here when you suspect account compromise, when a user reports a lost device, or when you need to force a specific browser off the system.

Procedure

  1. Open Admin → Users.
  1. Click the user’s row to open the edit panel, then open the Sessions tab.
  1. Review each session’s User-Agent (device / browser), created at, and last used at.
  1. Click Revoke on the session you want to end.
  1. Confirm. NovaVMS sends a session_evicted WebSocket message to that session (if it’s still connected) and invalidates the refresh token. The user’s next API call from that session returns 401 and sends them to the login page.

Common variations

  • Kick every session for a user: use Reset a user’s password — that revokes all sessions plus forces a new password.
  • Kick every session everywhere (account compromise suspected): disable the user. Disabling is instantaneous, blocks re-login, and keeps their data intact until you re-enable.
  • Automatic eviction of the oldest session: NovaVMS already revokes the oldest session when a 6th concurrent session is created. No action needed from you.

If this didn’t work

  • If the Sessions tab is empty, the user has no active sessions. They have either logged out, or every session has expired past the 30-day refresh window.
  • If the user calls back saying they’re still logged in right after you revoked, that’s expected. Their current access token has up to 15 minutes left. Ask them to refresh the page to force a 401.
  • If you need to block the account immediately regardless, see Disable a user.