I’ve noticed user sessions on the sever edition seem to be infinite - so long as they keep the browser open & the manager session cookie remains valid.
From a security point of view this isn’t a good idea. Sessions should timeout after inactivity (say 30 minutes, ideally configurable by the administrator)
As an alternative does the session state reside on the server that can be zapped by a cronjob somehow? Clearing overnight would suffice until there is a better solution.
Also application administrators should be able to see if users are currently logged on. Nothing too detailed, just basic connection info like login time / last page access / remote IP as it aids in the management of users and the application generally. (e.g. ‘can I reboot the server?’)
In business setup, it’s convenient if staff can be logged in continuously. That assumes staff doesn’t share computers which is usually the case anyway.
Even if you go and use public computer and forget to log out, the moment you log in from another computer, the previous session will be automatically logged out.
I think the next step is to implement audit trail and then see where to go from there.
I don’t know what “as a server” means. A server is a computer. You add users as an administrator. What part of the guide I linked to above didn’t work?