When you authenticate to a website, a session is created. Sessions are managed on devices through the use of session tokens or cookies which are just an identifier that your device provides the website to let it know which device is making the request. When the website sees the identifier, it knows that refers to a specific session and keeps you logged in.
Tip: This is why it is important to keep session tokens private. If an attacker can gain access to a session token, they can provide it to the server and it can’t tell that the attacker is not legitimate unless other verification methods are used in tandem.
Session tokens are often created with an expiry time so that your session isn’t valid forever. This helps to reduce the risk of any individual session token being compromised by an attacker while it is still valid and reduces the server requirement to track all valid session tokens.
Generally, session tokens are also expired when you click the “log out” button, however, some websites don’t do this correctly and so it can be possible to use an old session token even after the user has logged out.
ProtonMail automatically expires session tokens are either two weeks of inactivity or after six months, although changing your password explicitly resets the six-month timer. To help you manually manage your risk of valid sessions being compromised, ProtonMail allows you to see a list of all currently valid sessions and to end them.
To access your session list, click on “Settings” in the top bar, then switch to the “Security” tab. You can find the “Session Management” section on the right of the window. Here you can see a list of all currently valid sessions, which platform they’re for, which user account they’re for, and when they were created. You can either delete individual sessions by clicking the relevant “Revoke” link or you can revoke them all by clicking “Revoke All Other Sessions”. Either option will require you to re-enter your password to confirm the legitimacy of the request.