Session Management

Remote session termination is a critical security control for organizations managing volunteers who may lose their devices or leave the organization unexpectedly. Peer mentors and coordinators access sensitive contact data and encrypted assignments - the ability to instantly revoke access reduces the window of exposure after a security incident. For organization administrators, session visibility provides operational assurance that only authorized individuals are actively accessing the system. This feature is particularly important for organizations with high volunteer turnover, such as HLF and NHF, where offboarding needs to be immediate and verifiable. It also supports GDPR compliance by enabling organizations to demonstrate control over data access.

Sessions are tracked in the sessions PostgreSQL table, with entries created at login and invalidated at logout or termination. JWT-based mobile sessions use short-lived access tokens (15 minutes) with longer-lived refresh tokens stored in the device's secure storage; server-side session records track refresh token hashes for revocation. Admin portal sessions use HTTP-only cookies backed by server-side session records. The session management UI in the admin portal queries active sessions scoped to the admin's organization. Remote termination marks the session record as revoked; the next token refresh attempt returns 401, forcing re-authentication. Session termination events are written to the audit log. Configurable idle timeout and absolute session lifetime policies should be stored in organization_settings.