Skip to main content

Session limits and disconnecting sessions

Each Knocknoc user has a limit on how many things can be signed in and holding access at the same time. When that limit is reached, the user is shown a Session limit reached screen and asked to disconnect one of their active sessions before they can continue. This stops a single account from building up unlimited access from many places at once.

What counts towards the limit

A user's limit is a single shared pool. Three kinds of thing each take up a place in it:

  • Login sessions: a signed-in browser. Each browser or device the user logs in from is one login session.
  • Agents/Magic links: an outstanding agentic access. This covers the whole life of an agentic access, from the moment the link is created through to it being approved and active.

Companion devices do not count towards the limit. They are managed and capped separately when the device is added, so registering a companion device never uses up a place in the pool.

Places free up on their own as sessions expire, links are used and expire, or the user logs out. A pool that is full now will usually clear itself over time without any action.

Where the limit comes from

The limit is set for each user, and defaults to the limit included with your Knocknoc plan. A user with no limit of their own gets the plan default. A per-user limit can be lower than the plan default, and can also be supplied by your identity provider when users sign in with SAML.

What the user sees when the limit is reached

If a user tries to sign in while their pool is full, or is already signed in in another tab, they are taken to the Session limit reached screen instead of their home page. It explains that they need to disconnect a session or device to continue, and shows how many places are in use.

image.png

The screen lists every active session and device using the account. For each one the user can see:

  • What it is: a login session or an agent/magic link.
  • How it signed in: for login sessions, whether it was a password, SAML, LDAP or API key sign-in.
  • The device and browser, and the IP address it is coming from.
  • When it started and when it expires.
  • What it can access: expanding an entry lists the Knocs that session or device currently has access to, so the user can see what disconnecting it would cut off.

The user's own current session is marked This device. It cannot be disconnected here, because disconnecting your own session is simply logging out. That is offered as a separate option.

Continuing past the limit

The user has two choices:

  1. Disconnect a session or device, then select Continue. Once a place in the pool is free, the user can carry on and their access is set up as normal. Disconnecting a session or device ends it straight away and removes the access it was holding.
  2. Log out and sign back in later, for example once one of the listed sessions has expired on its own.

The Continue button only becomes available once there is a free place in the pool. If everything is still in use, the user is told to disconnect something first.

Sign-ins that cannot use this screen

Sign-ins made with an API key have no interactive screen to fall back to. When the pool is full, an API key sign-in is rejected rather than being sent to the session-limit screen. Freeing up a place, or raising the user's limit, allows it to succeed on the next attempt.