User Session Management feature allows you to better control user sessions on your WordPress site and expire idle sessions and prevent account sharing.
Let’s say you’re an administrator of a site, and you see that somehow, some way, someone else is logged into the site under your administrator username in another location – you can immediately take action against this. Without being able to see currently active sessions, you are blind. User sessions simply give you a view on to who is on your site and where they are.
User Session Management options explanations
Option: Session Timeout
This option helps you to specify how many days after login to automatically force re-login.
Note: WordPress default is 2 days, or 14 days if you check the "Remember Me" box.
This cannot be less than "1". Default: "2".
Option: Idle Timeout
This option helps you to specify how many hours after inactivity to automatically logout user.
If the user is inactive for the number of hours specified, they will be forcefully logged out next time they return.
Set to "0" to turn off this option.
Note: If the user has any browser activity whatsoever, this will affect their automatic logouts e.g. if they leave their browser window open and there are any background (AJAX) requests to the site, this will count as activity.
This is what users get when they:
Close the browser window of the site
Leave the browser window of the site opened and there's no a background requests to the site
Option: Lock To Location
This option helps you to lock a user session to IP address.
Note: When selected, a session is restricted to the same IP address as when the user logged in. If a logged-in user's IP address changes, the session will be invalidated and they'll be forced to re-login to WordPress.
Option: Max Simultaneous Sessions
This option helps you to limit simultaneous sessions for the same username.
When you start using this option for the first time, you’ll be logged out of WordPress.
This is because you’ve activated the Shield Security’s user sessions management and it’ll immediately check whether you have an active session in the database.
If it can’t find it, it logs you out – you immediately experience the effects of the user sessions managements.
Once you’re logged-in, however, each time you access the site, it’ll lookup your sessions against the database – to track your session, it places a unique cookie with your session ID. This is matches against your WordPress username and determines the validity of your session.
Note: The number provided is the maximum number of simultaneous, distinct, sessions allowed for any given username.
Zero (0) will allow unlimited simultaneous sessions.
Note: You also have the ability to review user sessions.
For further reading on User Sessions, read the blog article here.