LL::NG rely on a session mechanism with the session ID as a shared secret between the user (in SSO cookie) and the session database.
To configure sessions, go in Manager, General Parameters ยป Sessions:
- 
-  Sessions timeout: Maximum lifetime of a session. Old sessions are deleted by a cron script. 
-  Sessions activity timeout: Maximum inactivity duration. 
-  Sessions update interval: Minimum interval used to update session when activity timeout is set. 
Session activity timeout requires Handlers to have a write access to sessions database.
-  Opening conditions: rules which are evaluated before granting session. If a user does not comply with any condition, he is prompted a customized message. That message can contain session data as user attributes or macros. The conditions are checked in alphabetical order of comments. 
-  Sessions Storage- : you can define here which session backend to use, with the backend options. See  sessions database configuration-  to know which modules you can use. Here are some global  options that you can use with all sessions backends: 
 - 
-  generateModule: allows one to override the default module that generates sessions identifiers. For security reasons, we recommend to use Lemonldap::NG::Common::Apache::Session::Generate::SHA256 
-  IDLength: length of sessions identifiers. Max is 32 for MD5 and 64 for SHA256 
 
-  Multiple sessions, you can restrict the number of open sessions: - 
-  One session only by user: a user can not open 2 sessions with the same account. 
-  One IP only by user- : a user can not open 2 sessions with different  IP- . 
 
-  One user by IP address- : 2 users can not open a session with the same  IP- . 
 
-  Display deleted sessions: display deleted sessions on authentication phase. 
-  Display other sessions : display other sessions on authentication phase, with a link to delete them. 
 
Note that since HTTP protocol is not connected, restrictions are not applied to the new session: the oldest are destroyed.