Browser Sessions
See every device signed in to your MemberPass account and sign out the ones you don't recognise.
By the end of this page, you'll know how to review every active sign-in on your account and remotely sign out anything suspicious.
Browser Sessions live inside Settings → Security (URL: /settings/security). Scroll down the page until you reach the Browser Sessions block.
What the list shows
For each active session you'll see:
| Field | What it tells you |
|---|---|
| Device / browser | The operating system and browser that signed in — e.g. "Chrome on Windows 10" or "Safari on iPhone". |
| IP address | The public IP the session connected from. Helpful for spotting unfamiliar regions. |
| Last active | How long ago the session made a request. Older sessions tend to have been forgotten about. |
| This device | A label highlighting the session you're currently on, so you don't accidentally try to revoke it. |
The session list only appears if your MemberPass deployment is configured with a database-backed session driver. If you don't see this section, contact your administrator.
Sign out other sessions
When you notice a session you don't recognise — for example, signed in from a different country or on a device you no longer own — revoking it takes seconds.
Under Browser Sessions, click the Log Out Other Browser Sessions button.
A modal appears asking for your current password. This is a safety check so a stolen session can't sign everything else out.
All sessions except the one you're currently on are invalidated. Those devices will be asked to sign in again the next time they try to use MemberPass.
You can't revoke a specific session from this UI — it's all-or-nothing. If you need fine-grained control, sign out of the questionable device manually where possible, then change your password and optionally regenerate your 2FA recovery codes.
When to sign out other sessions
Run this action in any of these situations.
Sold or gave away a device
If any device that was ever signed in to MemberPass has left your hands, revoke other sessions to make sure the new owner can't resume where you left off — even if you signed out manually, a stale session token might still be valid.
Public or shared computer
Hotel business-centres, a friend's PC, library terminals — any machine where you couldn't verify that the sign-out actually took effect. Revoke other sessions when you're back on your own device.
Unfamiliar IP or location
If the session list shows an IP you don't recognise, or a geographic location that doesn't match where you've been, treat it as suspicious and revoke immediately. Follow up with a password change and 2FA review.
After a security incident
If you've just reset your password because you suspect something was compromised, revoking other sessions ensures the attacker's existing session can't continue while you're locking them out.
Periodic hygiene
No specific trigger — just good practice. If the list shows sessions you don't remember, clear the slate.
What happens to the revoked sessions?
- The next request they make to MemberPass returns them to
/login. - Any "Remember Me" tokens for those sessions are invalidated.
- They cannot be un-revoked — anyone affected has to sign in fresh.
Good hygiene checklist
Related
- Two-factor authentication — a strong block against anyone signing in even if they learn your password.
- If you can't sign in — what to do if you suspect you're locked out because someone else is in.
- Signing in — the methods someone would need to beat to sign in as you.