Sessions & Tokens

After you authenticate, Full Fabric creates a session that keeps you logged in as you navigate the platform. This page explains how sessions work, how the platform identifies you on each request, and when sessions expire.

How Sessions Work

Full Fabric uses cookie-based sessions backed by MongoDB (mongo_store). When you log in:

1. A unique session token is generated and stored server-side in MongoDB.
2. The session ID is saved in an HTTP-only cookie (_fullfabric_session) in your browser with SameSite=Lax.
3. On every subsequent request, the cookie is sent automatically and the platform looks up your identity from the session.

Sessions are scoped to a single institution (tenant) via subdomain routing. A session on school-a.fullfabric.com is separate from school-b.fullfabric.com. In production, session cookies are marked Secure (HTTPS-only).

Session Timeout

Sessions expire after a configurable period of inactivity. The timeout is controlled by the session_timeout_in_days setting:

Setting	Default	Description
session_timeout_in_days	0.5 (12 hours)	Days since last authentication before the session expires

The timeout is configurable per institution. When your session expires, you are redirected to the login page. If you were on a specific page, Full Fabric remembers the URL and redirects you back after re-authentication.

Session Lifecycle

stateDiagram-v2
    [*] --> Active: Login successful
    Active --> Active: Activity (resets timer)
    Active --> Expired: Inactivity timeout
    Active --> Invalidated: Logout
    Expired --> [*]: Redirect to login
    Invalidated --> [*]: Redirect to login

Login

On successful authentication:

• A session token is stored in your browser as an HTTP-only cookie.
• You are redirected to the platform (or back to the page you were trying to access).

Logout

When you log out:

• Your session is destroyed (cookie cleared, server-side session removed from MongoDB).
• Trusted device cookies (2FA _fullfabric_2fa_trusted) are deleted.
• If your institution uses SAML, a SAML Logout Request is sent to the identity provider for single logout.

How the Platform Identifies You

On each request, Full Fabric resolves the current user from one of these sources (in priority order):

1. Session cookie — Set during normal browser login
2. URL parameter (?token=...) — Used in specific flows like email links
3. HTTP header (FF_AUTH) — Used by API clients and integrations

If a token is found, the platform checks it against API tokens first, then user profiles. See API Tokens for details on token-based authentication.