Skip to main contentGBOSSTABTime and Billing

Active sessions

AdminMulti-device sign-in and how to sign out of a lost device.

Active sessions

Every device you sign into TAB from creates a row in device_sessions. Your laptop in the office, your laptop at home, the desktop app, each one is a separate session, and each one stays signed in until it's explicitly revoked or the cookie expires (7 days).

The Active sessions card on the dashboard lists them all, so you can see where you're logged in and shut down anything that shouldn't still be live.

Where the card lives

The card is rendered at the bottom of the dashboard page, below the tile grid. Every user sees it, accountants, managers, and admins alike. (It's your sessions, not the firm's.)

What's on each row

Each row shows:

  • An icon. Globe icon for web sessions, laptop icon for desktop. There's no per-OS detail today, both Mac and Windows desktops show the laptop icon.
  • A label. A short string describing the session, falls back to the client kind (web / desktop) when no nicer label exists.
  • A This device tag. Green Carbon tag, shown only on the row that corresponds to your current request.
  • "Last seen X ago · started X ago". Both are relative timestamps. "Just now", "5 min ago", "3 hr ago", "2 days ago".

Signing out a single device

Each non-current row has a small trash-can button on the right.

  1. Find the row for the device you want to revoke.
  2. Click the trash-can.

The request fires immediately, there's no confirmation modal, and the list refreshes. The next time that device hits a protected endpoint, the JWT's sid claim points at a now-revoked session and the request 401s. The user is bounced to the sign-in screen.

The This device row doesn't have a trash-can, that's on purpose, so you can't accidentally lock yourself out of the page you're sitting on. To end the current session, use the Sign out link in the user menu (top-right avatar) instead.

Sign out everywhere else

When you have other sessions, a Sign out everywhere else button appears in the card header.

  1. Click Sign out everywhere else.
  2. The request fires immediately, again, no confirmation modal.

Every session other than the current one is revoked. The response includes a count ({"revoked": N}) but the UI just reloads the list; you'll see only your current row remain.

When to reach for it:

  • Lost laptop. Sign in from any other device, hit the button, and the lost machine's session is dead.
  • Borrowed computer. You signed in at a client's office a month ago and forgot to sign out? One click.
  • Suspicious activity. Something on the list you don't recognise. Revoke everything, then change your portal password.

What revoking doesn't do

Revoking a session doesn't touch any data. Your entries, clients, reports, all of it stays on the server. The session row just gets revoked_at set; the JWT's sid is now invalid.

It also doesn't change your portal password. If you suspect account compromise, revoke everywhere and go to portal.gbossone.com to rotate the password.

Related