logo
SecuritySession Management

Session Management

How to view active sessions, revoke devices, and understand session timeouts in Forbidden Finance.

Overview

Session management in Forbidden Finance lets you see every device where your account is currently logged in and revoke access to any of them instantly. Sessions expire automatically to protect your account -- after 30 minutes of inactivity or 8 hours total, you are logged out and need to sign in again. These protections ensure that a forgotten login on a shared computer or a lost device does not leave your financial data exposed.

How to View Active Sessions

Open Security Settings

Go to Settings > Security > Active Sessions.

Review your sessions

You see a list of all devices where your account is currently logged in, including the device type, browser or app, approximate location, and when the session was last active.

How to Revoke a Session

Find the session

In the Active Sessions list, locate the device you want to log out.

Tap Revoke

Tap the Revoke button next to that session. The device is logged out immediately.

Confirm the revocation

Confirm when prompted. The session is terminated and the Forbidden Finance app on that device returns to the login screen on its next interaction.

If you see a session you do not recognize, revoke it immediately and change your password. Then review your MFA settings to make sure no unauthorized methods have been added.

Session Timeout Rules

Forbidden Finance enforces two automatic timeout policies to protect your account:

RuleDurationWhat Happens
Inactivity warning28 minutesA notification appears warning you that your session is about to expire. Interact with the app to reset the timer.
Inactivity timeout30 minutesIf you do not interact with the app for 30 consecutive minutes, you are automatically logged out.
Absolute session cap8 hoursRegardless of activity, your session expires after 8 hours. You need to sign in again.

What Counts as Activity

Any interaction with the app resets the inactivity timer: tapping, scrolling, navigating between screens, or pulling to refresh. Simply having the app open in the background does not count as activity.

What Happens When a Session Expires

When your session expires:

  1. You see a "Session expired" message
  2. The app returns to the login screen
  3. Any unsaved changes (like a transaction draft) may be lost
  4. You sign in again with your password, passkey, or MFA

Your data is not affected -- only the active session ends. Once you sign in again, everything is exactly as you left it.

Tips

Check your active sessions periodically, especially after traveling or using a shared computer. It only takes a few seconds to review and revoke any sessions you no longer need.
The 8-hour absolute cap means you sign in at least once per day. This is a security feature, not a bug -- it limits the window of exposure if your session is compromised.
If you lose a device, revoke its session immediately from another device. Go to the web app, sign in, and revoke the lost device's session under Settings > Security > Active Sessions.
The "Remember me" option on the login screen saves your email for convenience but does not extend session duration. You still need to authenticate after every session timeout.

Frequently Asked Questions

Why does the app log me out after 30 minutes?

The 30-minute inactivity timeout is a security measure that protects your account if you forget to close the app on a shared or public device. Any interaction with the app resets the timer, so it only triggers when you are genuinely away.

Can I change the timeout duration?

No. The 30-minute inactivity timeout and 8-hour absolute cap are fixed security policies that apply to all accounts. They cannot be changed or extended.

Why was I logged out even though I was using the app?

The 8-hour absolute session cap logs you out regardless of activity. If you have been continuously using the app for 8 hours, the session ends and you need to sign in again. This is an intentional security safeguard.

What does 'approximate location' mean in the session list?

The location shown is based on IP address geolocation, which identifies the general city or region. It is not GPS-precise. VPN or corporate network users may see a location that does not match their physical location.

I see a session I don't recognize. Is my account compromised?

Revoke the unfamiliar session immediately. Then change your password and review your MFA settings (Settings > Security). If you see evidence of unauthorized transactions or changes, contact support at support@403fin.io.

Does revoking a session delete data from that device?

Revoking a session logs out the app on that device. It does not delete any data from the device itself (such as cached data or the installed app). If the device is lost, you may also want to remotely wipe it using your device manufacturer's "Find My" feature.

Passkeys

Set up fast, secure login for re-authentication after timeout.

Biometric Unlock

Quick app re-entry within an active session.

Security Overview

See all security features at a glance.

Login Problems

Troubleshoot issues signing back in.

Need more help? Contact us at support@403fin.io.

Was this page helpful?

Last updated today

Built with Documentation.AI