Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Session Management entry
How-to guide

Review and end active sessions from Session Management

Session Management is a monitoring and response page rather than a one-time switch. Here is how to use it to review active sessions and end a suspicious one. You need the Manage Users permission, which is included in System Administrator.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated Jun 16, 2026

Session Management is a monitoring and response page rather than a one-time switch. Here is how to use it to review active sessions and end a suspicious one. You need the Manage Users permission, which is included in System Administrator.

  1. Open the page

    From Setup, enter Session Management in the Quick Find box, then select Session Management. The list of active sessions loads, covering browser, OAuth, JWT, and mobile sessions across the org.

  2. Scan the active sessions

    Read across each row: Username, Session Type, Login Type, Login Time, and source IP address. Look for the same user logged in from several regions at once, or sessions far older than your timeout policy.

  3. Investigate anything that looks off

    Cross-check a questionable IP address or an unusually long-lived session against Login History for that user. Confirm whether the activity is legitimate before you act.

  4. End the session

    Select Remove on the row you want to cut. The session ends and that browser or client must log in again. Remember the token is revoked immediately for most services and within 30 minutes for some.

  5. Contain the account if needed

    If the session was a real compromise, removing it is not enough. Freeze or deactivate the user, reset the password, and review what the session touched so a new login cannot quietly resume.

Key options
Usernameremember

The user the session belongs to. Group rows by username to see anyone holding several sessions at once.

Session Typeremember

How the session was created, such as an interactive UI login, a Visualforce or Aura session, or a content session. Helps you separate user logins from integration tokens.

Login Typeremember

The authentication method behind the session, for example a standard login, single sign-on, or an OAuth flow.

Source IP addressremember

Where the session's requests originate. Compare against the locations your users actually work from to flag impossible travel.

Remove actionremember

Ends the selected session on demand. The connection is rejected on its next request and must authenticate again.

Gotchas
  • Removing a session is not always instant everywhere. The token is revoked immediately for most services but can take up to 30 minutes for some.
  • Ending a session does not block a new login. If credentials are compromised, also freeze the user and reset the password, or they can simply log back in.
  • The page shows only currently active sessions. For a full history of who logged in, from where, and the result, use Login History instead.
  • Long-lived integration sessions are often legitimate, but a token older than your rotation policy on a connected app is worth investigating.

See the full Session Management entry

Session Management includes the definition, worked example, deep dive, related terms, and a quiz.