Skip to main content

Documentation Index

Fetch the complete documentation index at: https://empuls.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Session management controls how long an Empuls sign-in stays valid, how many simultaneous sessions a user can hold across platforms, and how to invalidate sessions when needed. Empuls issues encrypted JWT tokens backed by Redis-stored sessions; you tune their lifetime and concurrency rules here. This is a sub-page of security settings.

Before you start

  • You must be a Super Admin.
  • Tightening session rules invalidates ongoing sessions — communicate the change before applying org-wide.
  • Session rules interact with password policy and SSO — review all three together.

What you can configure

Session token expiry

Empuls’s auth token has a default lifetime; idle sessions are revoked after this period. Configure separately per platform:
PlatformDefaultCommon values
Web8 hours1h (high-security), 4h, 8h, 24h
Mobile30 days7d, 14d, 30d
MS Teams appInherits Teams sessionNot directly configurable
Slack appInherits Slack sessionNot directly configurable
Tokens are JWTs signed with RS256 and encrypted using ECDH-ES, so even if a token is exfiltrated it can’t be replayed against a different tenant.

Concurrent login limits

Cap how many simultaneous sessions a user can hold:
  • Global maximum — Total active sessions across all platforms (default unlimited).
  • Per-platform maximum — Different cap for web vs mobile (e.g., 2 web sessions, 3 mobile sessions).
When a user signs in beyond the cap, Empuls invalidates the oldest session. Useful for high-security tenants that want to limit account sharing.

Blocked platforms

Optionally disable login from specific platforms entirely:
  • Web only
  • Mobile only
  • Web + mobile only (no MS Teams or Slack)
  • All platforms allowed
Useful for offline-period enforcement or compliance scenarios where one platform doesn’t meet policy.

Session duration override (per company)

For tenants serving multiple companies (rare in standard Empuls deployments), you can override session duration per company.

Configure session rules

1

Open Session Management

Navigate to Admin Hub → Platform Settings → Security → Session Management.
2

Set token expiry per platform

Enter values in hours (web) or days (mobile). Set 0 to use defaults.
3

Set concurrent login limits

Enter the global maximum and per-platform maximums. Leave blank for unlimited.
4

Toggle blocked platforms

Check any platforms you want to block.
5

Save

Rules apply on the next sign-in. Active sessions are not invalidated (use force-logout for that).

Force logout all sessions

For immediate enforcement after a policy change, or in response to a security incident:
1

Open the Sessions sub-tab

Stays in Session Management; switch to Active Sessions.
2

Click Force logout all

A confirmation dialog explains the impact — all users sign back in on next page load.
3

Confirm

Empuls invalidates every active session. Users see the sign-in page on their next request.
You can also force-logout an individual user from their record on Manage employees — Action menu → End all sessions.

Token tracking and proxy logins

Sessions tied to admin Login As (impersonation) are tracked separately. The admin’s own session and the impersonation session both have unique IDs; ending one doesn’t affect the other. For diagnostics, the Active Sessions table shows:
  • User
  • Platform (web, mobile, teams, slack)
  • IP address
  • Started at
  • Last activity
  • Session ID (truncated)

Limits and gotchas

  • Setting a very short web session (e.g., 30 minutes) significantly increases sign-in friction. Pair with SSO to soften.
  • Empuls’s session storage is in Redis. Brief Redis hiccups can transiently look like session failures — the system retries automatically.
  • Concurrent login limits trigger oldest-session eviction, not denial. New sign-ins always succeed; old ones get kicked.
  • Per-company session overrides require a support request to configure.