session_management
The Login & Access Security module is designed to add safeguards to Drupal Login in a split phase manner-
- Security checks to govern pre-login security - Defines who can log in, from where, from which device, and under what conditions.
- Security checks to govern users activity, post login - Control user sessions, Limit their activity, define auto-logout and zero-trust policies.
The module combines user access control, session management, IP restriction, adaptive login security, and real-time monitoring into a single solution.
Benefits - It helps prevent unauthorized access, session abuse, brute-force attacks, and suspicious login behavior, making it ideal for enterprise and security-sensitive Drupal applications.
This module is well suited for enterprise portals, CRMs, HR systems, finance platforms, and regulated Drupal applications where access control and session oversight are critical.
When combined with Identity and Access Security elements like SSO and MFA; it will transform into a full fledged enterprise Access Gateway solution within Drupal, something similar to what we have already done for one of our customers.
What can it do?
- Login Audit and Brute Force Protection: Protect against unauthorized login attempts by tracking failed logins at both user and IP levels. Administrators can define limits for the number of failed login attempts and automatically block users and/or IP addresses when thresholds are exceeded - this protects against Brute Force and DDOS attacks.
- IP Based Restriction / Blocking & Network-Level Protection: Manually or Automatically block malicious IP addresses. The module supports blocking individual IPs as well as IP ranges. Active user sessions can be automatically terminated if an unusual change in IP address or geographic location is detected.
- Geofencing (Location Based Access Control): Admins can restrict or allow access to their drupal site originating from specific countries / locations. It can also automatically trigger a force logout if a change in location is detected.
- Session Management, Monitoring & Auditing: Control user sessions by configuring custom session lifetimes, limiting concurrent sessions, and managing active sessions. Users can view and terminate their active sessions, while admins enforce global or role-based session policies. Detailed session and login activity - including timestamps, IP address, device, browser, and status - can be monitored and exported in CSV format for auditing and compliance.
- Honeypotting for Bot Detection: Detect and block automated bots using honeypot techniques that identify non-human behavior during login and access attempts. This adds an additional layer of protection without affecting legitimate users.
- Automatic Logout:
- Logout after inactivity - Automatically log out users after a configured period of inactivity.
- Logout after fixed time interval - End user sessions after a specified time limit, regardless of activity, to enforce maximum session duration.
- IP Whitelisting / Blacklisting: Allow trusted IP addresses through allowlisting to ensure uninterrupted access for internal networks and partners, while blocking malicious or unwanted IPs using denylisting to prevent unauthorized access.
- Time-Based Access Control: Assign access to users or roles for a specific time period. Once the configured duration expires, access is automatically revoked. This is especially useful for scenarios which involve sensitive environments like banking, healthcare or PII data processing.
Need any help?
If you face any issues or need any help in configuration, please feel free to reach out to us at [email protected]. You can also connect with us on the Drupal Slack channel.