Sessions & Tokens

After you authenticate, FullFabric creates a session that keeps you logged in as you navigate the platform. This page explains how sessions work, how the platform identifies you on each request, and when sessions expire.

How Sessions Work

FullFabric uses cookie-based sessions. When you log in:

1. A unique session token is generated and stored in your profile.
2. The token is saved in an HTTP-only cookie in your browser.
3. On every subsequent request, the cookie is sent automatically and the platform looks up your identity from the token.

Sessions are scoped to a single institution (tenant) via subdomain routing. A session on school-a.fullfabric.com is separate from school-b.fullfabric.com.

Session Timeout

Sessions expire after a period of inactivity:

Context	Timeout	Description
General browsing	12 hours	Default session timeout for normal platform use
Secured pages (e.g., Settings)	15 minutes	Shorter timeout for sensitive areas

The timeout is configurable per institution. When your session expires, you are redirected to the login page. If you were on a specific page, FullFabric remembers the URL and redirects you back after re-authentication.

Session Lifecycle

stateDiagram-v2
    [*] --> Active: Login successful
    Active --> Active: Activity (resets timer)
    Active --> Expired: Inactivity timeout
    Active --> Invalidated: Logout
    Expired --> [*]: Redirect to login
    Invalidated --> [*]: Redirect to login

Login

On successful authentication:

• A session token is stored in your browser as an HTTP-only cookie.
• You are redirected to the platform (or back to the page you were trying to access).

Logout

When you log out:

• Your session is reset (cookie cleared).
• Trusted device cookies (2FA) are deleted.
• If your institution uses SAML, a SAML Logout Request is sent to the identity provider for single logout.

How the Platform Identifies You

On each request, FullFabric resolves the current user from one of these sources (in priority order):

1. Session cookie — Set during normal browser login
2. URL parameter (?token=...) — Used in specific flows like email links
3. HTTP header (FF_AUTH) — Used by API clients and integrations

If a token is found, the platform checks it against API tokens first, then user profiles. See API Tokens for details on token-based authentication.