User Session Security Controls
User Session Security Controls
A guide for printIQ users
What is this feature?
User Session Security Controls give your administrators two tools to better protect your printIQ environment. The first automatically logs out any user whose account is disabled, locked, or deactivated. The second is an optional setting that limits each user to one active login at a time, preventing credential sharing across devices.
Why would I use it?
- Disabled accounts are blocked immediately – there's no window where a deactivated user can keep working through an existing browser session.
- Credential sharing between staff is prevented when single-machine login is turned on.
- Users get a clear, plain-language message explaining why they were logged out so they know who to contact.
- Performance stays fast – validation runs with a 60-second server cache so page load times aren't affected.
- Administrators stay in control – the single-machine login setting can be turned on or off at any time without a system restart.
When does this apply?
Session validation runs on every page request. For performance, the result is cached for 60 seconds, so changes take effect within that window. The single-machine login check only applies when the feature is enabled via the admin settings panel.
Which users are affected?
The checks apply to standard printIQ users. The following are exempt:
- printIQ Staff Members – exempt from both the disabled-account check and the single-machine login check, so support access is never disrupted.
- printIQ System Processes – exempt from disabled-account validation.
How are sessions handled?
When a user logs in, the system generates a unique, cryptographically secure session token and stores it in the database. On every subsequent request, that token is checked:
- If the token matches, the session continues normally.
- If the token doesn't match (because the user has logged in elsewhere and single-machine login is on), the current session is ended and the user sees an explanatory message.
- If the account has been disabled, locked, or deactivated, the session is ended regardless of the token.
- If validation can't be completed due to a database or cache error, the system defaults to allowing access – validation failures never lock users out.
What happens after a forced logout?
The user is redirected to the logout page, which shows one of the following messages depending on the reason:
- Account deactivated – your account has been deactivated. Contact your administrator to find out more.
- Account locked – your account has been locked. Contact your administrator to regain access.
- Logged in elsewhere – your account was accessed from another location, so this session has ended. Log in again to continue.
What about errors or database issues?
The system uses a fail-open approach: if validation can't be completed – for example, because the database is temporarily unavailable – access is allowed rather than blocked. Errors are logged for your administrator to review, but they won't cause unexpected logouts or prevent users from working.
Settings to know about
| Setting | What it does |
|---|---|
| PrintIQ_SingleMachineLogin_Enabled | Turns single-machine login on or off. Set to 'Yes' to allow only one active session per user at a time. Set to No (default) to allow multiple concurrent sessions. Changes take effect within 60 seconds. |
Frequently Asked Questions:
The user isn't seeing the correct logout message.
Each logout reason produces a specific message. Confirm which account status change triggered the logout (deactivated, locked, or logged in elsewhere) and check the logout page is on the latest version of printIQ.
Single-machine login doesn't seem to be working even though it's enabled.
Check that PrintIQ_SingleMachineLogin_Enabled is set to 'Yes' and that enough time has passed for the 60-second cache to expire. printIQ Staff Members are always exempt from this check.
A user is being logged out unexpectedly when they haven't been disabled.
If single-machine login is on, logging in on a second device will end the first session. Ask the user whether they or a colleague may have logged in somewhere else. If not, review the error logs with your administrator to check for validation issues.
The single-machine login setting was changed but the behaviour hasn't updated.
The setting is cached for up to 60 seconds. Wait for the cache to clear, or manually clear the cache, and try again. If the behaviour still doesn't match the setting, ask your administrator to confirm the value was saved correctly in the database.
Still not seeing the expected behaviour after checking the above?
Reach out to your system administrator or the printIQ support team for a closer look at the configuration.
Related Articles
Related Machine - Allocating Jobs to Machine
Introduction Often a production process can be done on one of many presses or machines. For example, when a company has multiple of the same press or folder. This is where the ‘Related Machines’ concept comes into play. By default an operation is ...Create User
What is a user? A user is a person who has been given permission to log in to printIQ. Access permissions depend on the user's role. The types of users are: staff, customers, suppliers and Shop Floor (please see linked article about Shop Floor ...Die and Product Tweaks - Single Product Creation
The Single Product Creation screen is a simple way to add a standard product for estimator or client to order. Single Product is also useful to order static artwork and can contain only one section and one stock, and can be linked to a CHILI ...Multi-Factor Authentication (MFA) – Setup, Configuration and User Enrollment
MFA – Multi Factor Authentication Multi-factor authentication is an electronic authentication method in which users are granted access to printIQ after successfully entering their authentication code from an authentication application on their ...User Access Control (comprehensive article)
Overview The process of setting up roles and positions in IQ has evolved over the lifetime of the software and is very adaptable and customizable. Understanding how the different elements of positions, roles, menus and back end settings work together ...