Clarity doesn't stop multiple sessions

Products

Clarity PPM On Premise Clarity FedRAMP Clarity PPM SaaS

Issue/Introduction

The application does not implement controls to limit or manage concurrent sessions for a single user account. A user can maintain multiple active sessions simultaneously from different devices, browsers, or locations without restriction or notification.

Current Behavior:

User logs in from Location A (creates Session 1)
User logs in from Location B (creates Session 2)
Both sessions remain active indefinitely until log out or inactivity time is met
No mechanism to view or terminate active sessions
Previous sessions are not invalidated when new sessions are created

Environment

Clarity all versions

Resolution

This is working as designed because Clarity is Project Management tool and the ability to maintain multiple sessions is generally viewed as a feature of the workflow rather than a flaw. However, from a cybersecurity perspective (like an OWASP audit), this is often flagged as a "finding."

Here’s a breakdown of why Clarity handles sessions this way and how to balance the risks.

Why it's Working as Designed: Project management is rarely a linear, single-tab task. Most users in Clarity rely on multiple sessions for several reasons

Cross-Referencing: A project manager might have a Gantt chart open in one window and a Financial Plan or Risk Register in another to ensure data consistency.
The "Mobile + Desktop" Combo: It’s common for a user to be logged into the Clarity mobile app for time-tracking or approvals while simultaneously working on a desktop for heavy configuration
Browser Tab Limitations: Because Clarity is a complex web app, opening multiple tabs in the same browser often shares the same session cookie. If the app strictly enforced one session, opening a second tab could potentially "kill" the first one, leading to lost work (like unsaved timesheet entries).

The Security Perspective: While convenient, security auditors flag unlimited concurrent sessions because of two main risks

Account Sharing: It makes it easier for multiple people to share a single "expensive" license
Session Hijacking: If a user forgets to log out on a public or shared computer, that session remains active even if they log in elsewhere, leaving a door open for unauthorized access.

How to Manage This: If your organization needs to tighten the screws without breaking the workflow, you usually don't do it within Clarity’s native settings. Instead, you handle it at the Identity Provider (IdP) level

Method	How it Works	Impact
SSO / SAML 2.0	Use Okta, Azure AD, or Ping to manage the login. These tools can be configured to limit concurrent logins to the portal itself.	High Security, Low User Friction.
Session Timeouts	Set a shorter "Inactivity Timeout" in Clarity (e.g., 30 or 60 minutes).	Cleans up "ghost" sessions automatically.
MFA (Multi-Factor)	Require a push notification for every new login.	Deters account sharing even if multiple sessions are allowed.
Audit Portlets	Create a custom portlet to monitor active sessions and identify users with an "excessive" number of concurrent logins.	Good for oversight without being restrictive.

Conclusions: Clarity is built for multi-tasking. Forcing a "one session per user" rule would likely result in a revolt from your Project Management Office (PMO). Most enterprises accept this "risk" as a necessary trade-off for usability, opting instead to secure the entry point (via SSO) rather than the application session