User Session Management in Odoo 18: A Complete Guide

 

User Session Management in Odoo 18: A Complete Guide

User session management is a critical yet often overlooked aspect of any ERP system. In Odoo 18, session handling has become more robust, secure, and configurable—helping organizations balance usability with security.

This blog walks you through how user sessions work in Odoo 18, key configuration options, security best practices, and common customization use cases.

 

What Is a User Session in Odoo?

A user session represents an authenticated interaction between a user and the Odoo server. Once logged in, Odoo creates a session that:

• Identifies the logged-in user
• Stores session data (language, timezone, context)
• Maintains authentication across requests
• Expires automatically based on configuration

Odoo uses server-side session storage, not browser-only sessions, making it more secure and controllable.

 

How Session Management Works Internally

At a high level, Odoo session flow looks like this:

1. User logs in via /web/login
2. Odoo authenticates credentials
3. A session ID is generated
4. Session data is stored on the server
5. A session cookie is sent to the browser
6. Every request validates the session

If the session expires or is invalidated, the user is redirected to the login page.

 

Session Storage in Odoo 18

By default, Odoo stores sessions in:

• PostgreSQL database (recommended for production)
• Optionally in filesystem (not recommended for scalability)

Each session includes:

• User ID
• Login time
• Last activity timestamp
• Context (lang, tz, allowed companies)

This allows Odoo to track active users and enforce security rules efficiently.

 

Key Session Configuration Parameters

You can configure session behavior in your odoo.conf file:

session_expiration = 7200

session_timeout = 3600

 

Important Parameters

📌 Best practice: Keep shorter timeouts for sensitive modules like Finance or GRC.

Automatic Session Expiry & Logout

Odoo 18 automatically logs out users when:

• The session expires

• The user is inactive beyond timeout

• The server restarts

• User password is changed

• User is manually logged out

This prevents:

• Session hijacking

• Unauthorized access from shared devices

 

Multi-Device & Multi-Tab Sessions

Odoo supports:

• Multiple tabs using the same session

• Multiple devices per user (unless restricted)

However, each login creates a separate session. Admins can:

• Track concurrent sessions

• Force logout specific users

• Revoke access instantly

 

Viewing and Managing Active Sessions (Admin)

In Odoo 18, administrators can:

• Monitor logged-in users
• Detect idle or stale sessions
• Terminate sessions manually

Common use cases:

• Forced logout after policy violations
• Emergency access revocation
• Cleaning zombie sessions

Custom modules can hook into session lifecycle events for audit logging.

 

Security Best Practices for Session Management

✅ Enable HTTPS only
✅ Use strong password policies
✅ Set reasonable inactivity timeouts
✅ Rotate sessions on privilege change
✅ Restrict concurrent logins if required
✅ Monitor sessions for anomalies

For compliance-heavy environments (ISO, SOC, GRC), session logging is mandatory.

 

Customizing Session Behavior in Odoo 18

Advanced use cases include:

1. Restrict Concurrent Logins

Limit users to one active session at a time.

2. Auto Logout on Role Change

Invalidate session when access rights change.

3. Session Audit Logging

Track:

• Login time
• IP address
• Device info
• Logout reason

4. Module-Specific Timeouts

Shorter sessions for sensitive models.

These are typically implemented by overriding authentication or HTTP middleware.

 

Common Session-Related Issues

🛠 Tip: Always configure reverse proxies (Nginx) to forward cookies correctly.

Session Management in Odoo.sh & Cloud

In Odoo.sh:

• Sessions are database-backed
• Restart invalidates sessions
• Scaling requires sticky sessions

In Odoo Online:

• Session handling is fully managed
• Limited customization available

 

Final Thoughts

User session management in Odoo 18 is powerful, secure, and highly extensible. With proper configuration and monitoring, you can significantly improve:

• System security
• User experience
• Compliance readiness

 

 

About us:

We are Timus Consulting Services, a fast-growing, premium Governance, Risk, and compliance (GRC) consulting firm, with a specialization in the GRC implementation, customization, and support.

Our team has consolidated experience of more than 15 years working with financial majors across the globe. Our team is comprised of experienced GRC and technology professionals that have an average of 10 years of experience. Our services include:

1. GRC implementation, enhancement, customization, Development / Delivery
2. GRC Training
3. GRC maintenance, and Support
4. GRC staff augmentation

Our team:

Our team (consultants in their previous roles) have worked on some of the major OpenPages projects for fortune 500 clients across the globe. Over the past year, we have experienced rapid growth and as of now we have a team of 15+ experienced and fully certified OpenPages consultants, OpenPages QA and OpenPages lead/architects at all experience levels.

Our key strengths:

Our expertise lies in covering the length and breadth of the IBM OpenPages GRC platform. We   specialize in:

1.  Expert business consulting in GRC domain including use cases like Operational Risk   Management, Internal Audit Management, Third party risk management, IT Governance amongst   others
2.  OpenPages GRC platform customization and third-party integration
3.  Building custom business solutions on OpenPages GRC platform

Connect with us:

Feel free to reach out to us for any of your GRC requirements.

Email: Business@timusconsulting.com

Phone: +91 9665833224

WhatsApp: +44 7424222412

Website:   www.Timusconsulting.com