Session Management

Admin-initiated session revocation is listed as a core authentication module capability (line 207) and is an incident-response prerequisite: if a user's device is lost or an account is compromised, administrators must be able to terminate all active sessions immediately without waiting for token expiry. The time-bounded support access mechanism (line 259) further requires that organizations can revoke Global Admin access at any moment, not merely let it expire passively - which requires a session surface with active revocation controls. Under GDPR, the ability to demonstrably terminate access upon request is a data processor obligation. With admin-security always-on, these controls must be present at launch; deferring them would leave organizations unable to respond to security incidents.

SessionManagementPage is a Next.js SSR page reading from user_sessions and refresh_tokens, scoped by organization_id. SessionManagementService handles termination by marking the refresh token as revoked in the database; in-flight access tokens expire naturally within their short-lived window (≤15 minutes) per the auth module contract. SessionRepository provides the data access layer with queries for active sessions by organization, user, and session ID. Support access grant revocation calls both the session invalidation path and updates the support_access_grants record, triggering an AuditLogService entry. Bulk-revoke for a user is a single database transaction. All session listing queries enforce organization_id scoping. WCAG 2.2 AA compliance required for all interactive elements.