ORegister tracks every login session in {prefix}or_sessions with:
- SHA-256 hashed session token
- Device info (User-Agent)
- IP address
- Last active timestamp (auto-updated)
Admins can view all sessions for a user in the single user view. Sessions can be revoked individually.
Users can revoke their own sessions via AJAX (or_revoke_session).