---
title: Configuring session quotas
description: You can configure session quotas to limit the number of sessions a user can have active at one time.
component: pingfederate
version: 13.0
page_id: pingfederate:administrators_reference_guide:pf_configuring_session_quotas
canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_configuring_session_quotas.html
section_ids:
  logging: Logging
  before-you-begin: Before you begin
  steps: Steps
---

# Configuring session quotas

You can configure session quotas to limit the number of sessions a user can have active at one time.

PingFederate uses a unique user key attribute to track user sessions for this feature, so browser sessions are counted across browsers and devices. A user session can include multiple browser tabs.

When a user authenticates a new session, PingFederate checks the quota limit. You can configure PingFederate to deny the new session, return an error message, or revoke one or more active sessions when the new session exceeds the quota.

## Logging

When a new session exceeds the session quota, PingFederate logs a `SESSION_QUOTA_EXCEEDED` message to the `audit.log` file.

## Before you begin

* The session quota feature requires the unique user key attribute to track user sessions. To make user session quotas work, you must have a unique user key attribute defined for each IdP adapter. Learn more in [Setting pseudonym and masking options](pf_setting_pseudonym_masking_options.html).

* For clients to check whether a session has been revoked during token exchanges, you must enable the following **Session validation** settings in your access token manager:

  * **Include session identifier in access token**

  * **Check session revocation status**

    Learn more in [Managing session validation settings](help_beareraccesstokenmgmtplugintasklet_sessionvalidationstate.html).

## Steps

1. Go to **Authentication > Policies > Sessions** and scroll down to the **Session Quotas** section.

2. Select the **Enable Session Quota Constraints** checkbox.

3. In the **Active Session Limit** field, enter the number of sessions to limit a user to.

4. In the **Session Quota Limit Behavior** list, select how PingFederate responds when a new session exceeds the quota.

   The following table contains more information about exceeded quota behaviors:

   | Behavior                      | Description                                                                                                                             |
   | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
   | **Deny Access**               | PingFederate denies the new authentication transaction with a `Session limit exceeded` error message                                    |
   | **Destroy Most Idle Session** | PingFederate allows the new authentication session and revokes the existing session with the oldest last activity time                  |
   | **Destroy Old Sessions**      | PingFederate allows the new authentication session and revokes all other existing sessions. This is similar to password reset behavior. |

5. Click **Save**.