Overview

Hanzo IAM manages authentication through sessions, which represent active login states across applications. Each session tracks a user's authenticated connection to one or more applications in an organization.

A session represents an authenticated user state. When a user signs in to an application, Hanzo IAM creates a session record that includes:

Users can have multiple active sessions simultaneously - for example, logging in from different devices or browsers. Each session is tracked independently, allowing granular control over user access.

Sessions move from creation to termination as follows:

Creation: When a user authenticates successfully (OAuth, SAML, username/password, etc.), Hanzo IAM creates a new session and assigns a unique session ID.

Active: While active, the session grants access to protected resources without re-authenticating. Each request validates the session so expired or revoked sessions are rejected.

Expiration: Sessions expire after a configurable period of inactivity or at maximum lifetime. Hanzo IAM cleans up expired sessions automatically.

Termination: Sessions can be ended by logout (user or admin). When terminated, all associated session IDs are invalidated immediately.

Hanzo IAM supports multiple concurrent sessions per user. This is useful when:

Each session is tracked separately with its own session ID. This allows users to selectively terminate specific sessions without affecting their other active logins - for example, logging out from a work computer while staying logged in on a mobile device.

Session data is stored in Hanzo IAM's database and is associated with:

Session IDs are stored as arrays, allowing a single session record to track multiple concurrent logins for the same user-application pair.