What is it?

The Session Management page under the Gear icon () > Session Management allows FogBugz On Demand site administrators to view and revoke active tokens for their users. Tokens are what allow users to interact with the FogBugz UI and the FogBugz XML API. For Kiln users, tokens also provide access to the Kiln web UI and Kiln’s REST API. The Session Management page can be used to remove tokens individually or in bulk by user. There’s also a Big Red Button to kill all active sessions on your FogBugz On Demand account.

Types of Tokens

There are two token types you may see on this page:

  • Session tokens which are issued from the FogBugz when the “Remember Me” checkbox is unchecked.
  • API tokens which are issued by an API logon or when the “Remember Me” checkbox is checked on the UI logon page.

Session Management

Kill a user’s sessions

All current active sessions will be shown for each user, as well as the last five characters of the token. From here you’ll be able to see what IP they logged in from, when the token was last active, and the type of token issued (Session or API). This will tell you how the tokens were generated (see Types of Tokens). Note that Session tokens may be used with the API, and vice-versa.

At the end of each token there is a red X that will let you revoke that individual token. This is particularly handy if you have an API script you have been testing that logs in manually but does not log out its tokens. Clicking the red X immediately revokes the token and refreshes the active tokens.

There’s also a “Delete all tokens” button for every user. This is a quick way to revoke all tokens for a user without changing their password. Note that if you change a user’s password under the Gear icon () > Users, this also revokes all their tokens.

Kill all sessions (The Big Red Button)

The Big Red Button will immediately reset all authentication information in the entire site.  It will delete all FogBugz login tokens, Kiln access tokens, and RSS secrets. It will also expire all passwords and clear Two Factor Authentication settings for all users. It’s a big deal, so you will be asked twice to confirm.