Sessions stores session information on a per authentication module basis.

For each authentication modules you can configure the session details individually. For some modules - such as password - you might want to remember the users session, while on other modules - such as Facebook - you might choose not to remember session information.

Upon logout, all session information is destroyed.


Sessions are stored per authentication module.

Go to Authentication and select one of the authentication modules. Consider remember my device or remember my login.


Related to sessions are access tokens. When using OAuth 2.0 or OpenID Connect an access token is issued with a certain lifetime.

While all access tokens issued by are JSON Web Tokens (JWT), they can nevertheless be revoked. When a client calls the OAuth 2.0 introspection endpoint, the state of the token is returned.


At the end of succesful passing the presented list of authentication modules, a Subject entity is created in This one is unique for every log in action. A Subject is related to a User stored in or to a federated identity.