Sessions & Audit Log

IDP Sessions

An IDP session (idp_sid) is a server-side SSO session created when a user successfully completes a portal or OIDC login. It is stored as an httpOnly cookie and allows the user to complete subsequent OIDC / SAML flows without re-entering credentials (within the session lifetime).

Cookie attributes

The idp_sid cookie is set with HttpOnly, Secure, Path=/, and SameSite=Lax. Lax (rather than Strict) is required so the cookie travels with top-level cross-site GET navigations from a relying-party application back to /oauth2/authorize — this is what enables silent SSO when a user opens an app that redirects to JustIAM. CSRF on /oauth2/authorize is not exploitable because client_id and redirect_uri must match a pre-registered application.

A second cookie, idp_token, carries the JWT used for portal API calls. It is scoped to Path=/api and uses SameSite=Strict (it is only ever read by same-site SPA fetches).

Session lifetime

Controlled by session_duration_days in Settings (default 7 days). The session is renewed on each successful authentication.

Viewing sessions

UI: Active Sessions (bottom nav)

API:

GET /api/v1/sessions?page=1&limit=25&search=alice

Returns a paginated list of active sessions with user, IP address, user agent, and creation/expiry times.

Query param	Default	Description
page	1	Page number
limit	20	Items per page (max 100)
search	(none)	Filter by username, email, or display name

Response shape:

{
  "data": [ /* SessionInfo objects */ ],
  "total": 42,
  "page": 1,
  "limit": 25
}

Revoking a session

UI: Sessions → Revoke button

API:

DELETE /api/v1/sessions/{id}

Revoking all sessions for a user

DELETE /api/v1/users/{userId}/sessions

---

Audit Log

The audit log is an append-only record of security-relevant events. Entries cannot be modified or deleted (only purged by the retention policy).

Viewing

UI: Administration → Audit Log (requires audit.view permission)

The audit log supports filtering and pagination.

API:

GET /api/v1/audit-logs?page=1&limit=50&user_id=...&action=login_success

Retention

Audit log retention is configured by the platform operator via the controlplane Security limits section (default 365 days). The built-in audit_log_cleanup scheduled task runs on a schedule to purge old entries.

Recorded events

Event	Trigger
login_success	Successful local login
login_failed	Failed password
suspicious_login	Login from new location (heuristic)
brute_force_detected	Multiple failed logins
account_locked	Account locked after too many failures — also fires the account.locked event action
account_unlocked	Admin manually cleared the lockout
password_reset_link_sent	Admin sent a password-reset link to a user
federated_login_success	Successful federated (Google) login
federated_login_failed	Failed federated login (domain/email not allowed)
password_change	User changed password
user_create / user_delete	User created or deleted
user_activated / user_deactivated	Active state changed
privilege_escalation / privilege_revocation	Admin flag changed
session_revoked_all	All sessions revoked for a user
mfa_enrolled / mfa_unenrolled	MFA credential added or removed
mfa_challenge_success / mfa_challenge_failed	MFA step outcome
group_create / group_update / group_delete	Group lifecycle
group_member_add / group_member_remove	Membership change
application_create / application_update / application_delete	App lifecycle
application_access	User granted/revoked access to an application
idp_role_create / idp_role_update / idp_role_delete	IDP role lifecycle
federated_provider_create / federated_provider_update / federated_provider_delete	Provider lifecycle
setting_update	A setting value was changed
pat_created / pat_deleted	Personal access token lifecycle
rate_limit_exceeded	IP exceeded login rate limit

Each entry includes: user_id, action, resource_type, resource_id, ip_address, user_agent, and a details map with event-specific data.