Session Management
Hub uses stateless JWT-based sessions with an 8-hour time-to-live. This page explains how sessions work and what controls are available.
How Sessions Work
When you sign in, Hub issues a signed JWT stored as an HttpOnly cookie on the .theonestack.com domain. This token is automatically sent with every request to any product.
| Property | Value |
|---|---|
| Cookie name | hub_session |
| TTL | 8 hours |
| Domain | .theonestack.com |
| HttpOnly | Yes (not accessible to JavaScript) |
| Secure | Yes (HTTPS only) |
| SameSite | Lax |
Session Expiry
Sessions expire exactly 8 hours after login. There is no sliding window — if you logged in at 9:00 AM, your session expires at 5:00 PM regardless of activity.
When your session expires:
- Your next action triggers a redirect to the login page
- Any unsaved work in the current page is preserved in local storage (where supported)
- After re-authenticating, you're returned to the page you were on
Multi-Device Sessions
You can be signed in on multiple devices (laptop, desktop, phone) simultaneously. Each device has its own independent session token.
Signing Out
To sign out manually:
- Click your avatar in the top-right corner
- Click Sign Out
This clears the hub_session cookie and any locally stored session data. You'll need to re-authenticate with Microsoft Entra to sign in again.
Elevated Sessions (Sudo Mode)
For sensitive operations like changing billing settings or modifying roles, Hub may prompt you to re-authenticate. This is called "sudo mode" — it verifies your identity before allowing high-impact changes, even if your session is still valid.
Security Considerations
- No "Remember Me" — every session is exactly 8 hours, no exceptions
- HttpOnly cookies — the session token cannot be read by client-side JavaScript, protecting against XSS
- Secure flag — the cookie is only sent over HTTPS
- Account lockout — 5 failed login attempts trigger a 15-minute lockout (see SSO Login)