Manage Active Sessions
See where you're logged into Toolfy, review active devices and locations, and revoke access to old sessions. Keep your account secure by monitoring and controlling who can access your data.
View active sessions
How to access session list
- 1.Go to Settings → Security
- 2.Scroll to "Active sessions" section
- 3.Review all devices and locations where you're currently logged in
What session information shows
Each session displays:
- • Device type: Browser name and operating system (e.g., "Chrome on macOS", "Safari on iPhone")
- • Location: Approximate city and country based on IP address
- • Last active: When you last used Toolfy on that device (e.g., "2 hours ago", "Active now")
- • IP address: Your device's internet address (click to expand)
- • Session created: When you first logged in on that device
Current session indicator
The device you're using right now shows a green "Current session" badge. You cannot revoke this session manually—log out instead to end it.
Revoke sessions
Remove access from devices you no longer use or recognize.
Identify the session to remove
Find the device or location you want to revoke. Common scenarios: old work laptop, shared computer, mobile device you no longer own, suspicious login from unknown location.
Click "Revoke" next to that session
A confirmation dialog appears. Review the device details to ensure you're revoking the correct session.
Confirm revocation
Click "Revoke session". The device is immediately logged out of Toolfy. If someone is actively using that session, they'll see "Session expired" and must log in again.
Revoke all other sessions
Log out everywhere except current device
In Settings → Security → Active sessions, click "Revoke all other sessions" (red button at bottom). This logs you out of every device except the one you're using right now.
When to use this
- • You suspect unauthorized access to your account
- • You logged in on a public/shared computer and forgot to log out
- • You lost a device that was logged into Toolfy
- • You changed your password and want to force re-authentication everywhere
- • Spring cleaning: close old sessions from devices you no longer use
What happens after
All other devices see "Session expired" when they try to use Toolfy. Users (including team members on their own devices) must enter email + password + 2FA code (if enabled) to log back in.
Session duration and expiry
Default session length
Toolfy sessions last 30 days from your last activity. If you don't use Toolfy for 30 days, you're automatically logged out and must re-authenticate.
Activity-based refresh
Every time you click around Toolfy, the 30-day timer resets. As long as you use Toolfy at least once a month, you stay logged in indefinitely.
Password change forces logout
When you change your password in Settings → Security, all sessions except your current one are revoked automatically. This prevents someone with an old session from continuing to access your account.
2FA reset requires re-login
If you disable or regenerate two-factor authentication, all sessions end immediately (including current device). You must log in again with the new 2FA setup.
Security best practices
✓ Do this
- • Review active sessions monthly
- • Revoke sessions from old devices immediately
- • Log out manually on shared/public computers
- • Enable 2FA for an extra security layer
- • Use "Revoke all" if you suspect unauthorized access
✗ Avoid this
- • Staying logged in on public/shared computers
- • Ignoring unfamiliar locations in session list
- • Using the same password across multiple services
- • Letting sessions run for months without review
- • Sharing your account with team members (invite them instead)
Recognizing suspicious sessions
Red flags to watch for
- ⚠️Unknown location: Session from a city/country you've never been to
- ⚠️Unfamiliar device: Operating system or browser you don't use (e.g., Linux when you only use macOS)
- ⚠️Simultaneous locations: Active sessions in two cities at the same time (unless you use VPN)
- ⚠️Old devices: Sessions from laptops you sold or recycled months ago
What to do if you see suspicious activity
- 1.Click "Revoke all other sessions" immediately
- 2.Change your password (Settings → Security → Change password)
- 3.Enable two-factor authentication if not already active
- 4.Email security@toolfy.io with session details (device, location, time)
- 5.Review recent activity (Settings → Audit log) for unauthorized changes
Team member sessions
Each user manages their own sessions
Team members control their own active sessions. Organization owners cannot see or revoke team members' sessions—each person manages their own security settings.
Remove a team member to force logout
If a team member leaves your company and you need to revoke their access, go to Settings → Team and remove them from the organization. This terminates all their sessions immediately and blocks future login.
Common questions
Why does my location show incorrectly?
Toolfy uses IP geolocation, which is approximate. If you use VPN, mobile hotspot, or your ISP routes traffic through a different city, the location may not match your physical location. This is normal and not a security issue.
Can I set a shorter session timeout?
Not currently. All sessions expire after 30 days of inactivity. For higher security, manually log out when you're done or use "Revoke all other sessions" weekly. Custom session timeouts are planned for enterprise customers.
What happens if I revoke my current session by accident?
You can't revoke the current session from the session list—it's marked "Current session" and has no revoke button. If you log out manually or use "Revoke all other sessions", just log back in with your email and password.
Do sessions persist across password changes?
No. Changing your password revokes all sessions except your current device. This is a security feature—if someone has unauthorized access, changing your password kicks them out immediately.
Can I see what actions were taken during a session?
Session management shows login info only. For detailed activity (who created/edited customers, sent invoices, changed settings), go to Settings → Audit log. This shows every action with timestamps, user, and device.
Related articles
- Enable Two-Factor Authentication - Add extra security layer
- Reset Your Password - Change account password
- Roles & Permissions - Control team member access
Security concerns? If you suspect unauthorized access to your account, email security@toolfy.io immediately. Our security team responds within 1 hour for urgent issues.