Press "Enter" to skip to content
< Back

Session Security Features

When any user logs in, the session created should only be used by that one individual and never shared (just as login details should never be shared).  W2W has different security features that assist in this effort, which prevent users from sharing active session links and blocking others from attempting to use the same session on another device or location. 

Device-Specific Sessions

Our system will always attempt to create a device-specific session whenever possible.  This is achieved when, upon a successful login from either our secure desktop or mobile login pages, our system places a small plain text file (referred to as a ‘cookie’) on the device.  With device specific sessions, use of the particular session can only be provided if the associated cookie data and browser version are available and verified.  Note the cookie data is not used for any other purpose nor tracking, just for identifying if session is being used on same device.
We offer two different session security levels, and for most organizations we recommend “Level 2” as that offers the most security while still allowing universal access.  Please review the differences offered for each Level below before changing this setting option.

Level 1

This lowest level of session security will still attempt to create a device-specific session whenever possible, but if user does not allow cookies it will allow user to continue through a non device-specific session anyway.  Also, with this level there is no IP-specific restrictions, so the session can continue if the IP address changes during the session.  This level is not recommended unless in extreme case where an organization both requires no cookie use and also has load balancing software that changes IP addresses often. 

Level 2

This level of session security will attempt to create a device-specific session whenever possible, but if the user does not allow cookies it will allow user to continue the session anyway.  Any use of a non device-specific desktop session will require a static IP address, so it will block any attempt to use session on a different IP address.  Note mobile sessions do not require a static IP address, since cellular data can change address locations, so please see final note below about how to ensure sessions are ended when complete.   This level is recommended for most organizations as it allows access to all users and ensure will have either device-specific sessions or IP-specific desktop sessions.

Control the End of a Session

As a convenience, device-specific sessions do not automatically time out, and non device-specific sessions will time out after 20 minutes of non-use.  It is recommended that all users end their sessions by using the “Sign Out” option as this ends their particular session so cannot be accessed again, even if attempted from the same device and same IP address.  This is critically important when using a shared device.



employee kicked out, expired session, error message kicks me out off