Pistonlog uses custom cookie sessions for the web app and Bearer tokens for the mobile app. The two have different lifetimes because the security trade-offs are different.
How long sessions last
| Transport | Duration | Why |
|---|---|---|
| Web cookie | 12 hours | A shared workshop computer shouldn't stay logged in overnight |
| Mobile Bearer | 30 days | A technician's personal phone is locked behind a passcode; less risk of misuse |
These limits are deliberate. If your session expires you'll be redirected to the login page and any in-flight work — except line-item edits — will have been saved already.
What happens at expiry
- Web: a request after expiry gets a 401, the app redirects to
/login. After login, you're sent back to where you were. - Mobile: the app re-prompts for email + password (the same credentials you use on web).
Multi-device
You can be logged in on as many devices as you like simultaneously. Each device has its own session. Logging out on one doesn't log you out on the others.
When to log out manually
- Shared workshop computer — log out at the end of the day even though the cookie would expire automatically. Nothing wrong with belt-and-braces.
- Personal phone you're getting rid of — log out before factory-resetting or selling.
- Suspected unauthorised access — log out everywhere. Currently this is a per-device action; a global "log out all devices" feature is on the roadmap.
Two-factor authentication
Pistonlog doesn't yet support 2FA. If your team handles particularly sensitive data, ask in support — it's on the list of upcoming security improvements.