Skip to content

Login Session Manager

Login Session Manager shows active WordPress login sessions, lets you force logout (revoke tokens), and optionally caps how many concurrent sessions each role may keep. Use it to clear stolen sessions, stop shared-password sprawl, and keep an eye on who is signed in.

  • Lists active sessions from WordPress session tokens (device / time / IP when not hidden).
  • Revokes sessions - one session, all for a user, or all site-wide (for users who can manage sessions).
  • Surfaces counts on user profiles, an Active sessions column on the Users list, and an admin-bar link when a user has more than one session (each optional).
  • Enforces per-role concurrent limits - default examples: administrator unlimited (0), editor 3, author 2, contributor/subscriber 1.
  • When the limit is exceeded: log out the oldest session(s) (default) or block the new login.
  • Optional privacy: hide IPs in lists; omit raw user-agent strings from AJAX responses.
  • Optional notice when an older session was removed because of the limit (admin, front end, and WooCommerce account).
  • You need to kick a compromised or leftover session without resetting the password.
  • Membership or staff accounts should not stay signed in on many devices.
  • You want visibility into concurrent logins during support.

Open the module’s advanced settings (gear icon). An active license is required.

  • Enable session manager (manager_enabled, default on) - allow viewing and revoking sessions.
  • User profile sessions (show_on_profile, default on) - show the panel on profile / user-edit screens.
  • Users list column (show_users_column, default on) - active session count on Users.
  • Admin bar link (show_admin_bar, default on) - when the current user has more than one session.
  • Privacy: Hide IP addresses (hide_ip, default off)
  • Omit raw user-agent strings (hide_user_agent, default off)
  • When limit exceeded (limit_exceeded_action, default logout_oldest) - Log out oldest session(s) or Block new login.
  • Background check interval (init_throttle_minutes, default 10, range 1-60) - how often to reconcile counts while a user is browsing.
  • Limit notice (show_limit_notice, default on) - notice when an older session was removed due to the limit.
  • Max sessions by role (role_max_sessions) - 0 = unlimited; positive values capped at 50. Limits use the user’s highest matching role cap.
  • Excluded roles (excluded_roles) - roles skipped by limits. A role cannot be both limited (positive max) and excluded; exclusions are dropped when a positive cap is set.

Inside advanced settings (for users who can manage sessions): list, destroy one, destroy all for a user, or destroy all site-wide.

  1. Go to WP PowerSuite -> Modules.
  2. Filter by Login & Users or search for “Login Session Manager”.
  3. Turn the module on.
  4. Open advanced settings, confirm Enable session manager, set role limits if needed, and save.
  • Sign in as the same user in two browsers, then open the sessions panel or profile list. ✅ Working: both sessions appear; destroying one signs that browser out.

Set a role max of 1, sign in twice.

  • ✅ With Log out oldest: the first session is revoked.
  • ✅ With Block new login: the second sign-in is rejected.

Confirm the Users column and admin-bar link when those options are on.

  • No sessions UI. Confirm manager_enabled is on and your account can manage users / sessions.
  • Limits not applying. Check the role max (not 0), that the role is not excluded, and wait for the background interval or a new login.
  • IPs missing. Hide IP addresses may be enabled.
  • Unexpected logout. A concurrent limit may be removing older sessions - raise the role max or exclude the role.
Where do I view and revoke sessions?

From the module advanced settings Active sessions panel, on user profile screens when enabled, and via the Users list session count column. You can destroy one session, all for a user, or all site-wide (with permission).

What happens when a role hits its session limit?

By default the oldest session is logged out so the new login can proceed. You can instead block the new login. Set a role max to 0 for unlimited.

Can I hide IP addresses in session lists?

Yes. Privacy settings can hide IP addresses in session lists and omit raw user-agent strings from AJAX responses.

Does it work with Login as User?

Yes. The session manager is aware of Login as User and Temporary Login cookies so those special sessions are handled appropriately in listings.

Developer notes (hooks & filters)

Source: modules/login-session-manager/module.php, modules/login-session-manager/admin.php, and modules/login-session-manager/includes/*. Boots on the standard tier. Requires an active license.

Uses WordPress session tokens (WP_Session_Tokens). AJAX actions: wpps_login_session_manager_list, _destroy, _destroy_all_user, _destroy_all_site (nonce wpps_login_session_manager).

Aware of cookies wpps_login_as and wpps_tl_session. Filter wpps_session_manager_client_ip for IP resolution. Blocked-login query flag wpps_lsm_blocked=1. Notice meta _wpps_lsm_limit_notice.