Session Lifecycle
Understanding the session lifecycle helps you manage access effectively. This guide explains the different states a session can be in and how transitions occur.
Session Status Flow
Sessions progress through several states from creation to termination:
┌─────────┐
│ PENDING │
└────┬────┘
│
┌────────────────┼────────────────┐
│ │ │
v v v
┌────────┐ ┌────────┐ ┌────────┐
│ ACTIVE │ │PARTIAL │ │ FAILED │
└───┬────┘ └───┬────┘ └────────┘
│ │
│ (manual │
│ stop) │
│ │ │
│ v │
│ ┌──────────┐ │
└─>│ EXPIRING │<┘
└────┬─────┘
│
┌──────┴──────┐
│ │
v v
┌─────────┐ ┌───────────┐
│ EXPIRED │ │ CANCELLED │
└─────────┘ └───────────┘
Session States
PENDING
Appears immediately after clicking Start Session. IP rule application tasks have been queued and background workers are adding ingress rules to your cloud resources. This typically lasts 5-30 seconds.
You can click Stop to cancel a pending session.
ACTIVE
All IP rules have been successfully applied. Your IP is whitelisted on all assigned resources. You can extend or stop the session from the Actions column.
PARTIAL
Some IP rules applied successfully, but others failed. This can happen due to cloud provider API errors, invalid resource configuration, or insufficient permissions.
Click the session row to expand it and check the per-resource details — the Error column shows why individual rules failed. You can still extend or stop a partial session.
FAILED
All IP rule applications failed. No access was granted. This indicates a systemic issue — typically invalid credentials or all resources misconfigured.
Contact your administrator to verify cloud credentials and resource configuration.
EXPIRING
The session has reached its expiration time or you clicked Stop. IP rule removal is in progress. This typically lasts a few seconds.
EXPIRED
Session ended normally at its expiration time. All IP rules have been removed.
CANCELLED
Session was manually stopped before expiration. All IP rules have been removed.
Resource IP States
When you expand a session row, each resource IP entry has its own status:
| Status | Color | Meaning |
|---|---|---|
| PENDING | blue | Rule application queued |
| APPLYING | blue | Rule being applied right now |
| APPLIED | green | Rule active — access granted |
| FAILED | red | Rule application failed — check Error column |
| REMOVING | yellow | Rule removal in progress |
| REMOVED | gray | Rule removed — access revoked |
Reference Counting
EntryGuard uses reference counting to safely manage IP rules when multiple sessions share the same IP address and resource.
If you start two sessions from the same IP, both reference the same ingress rule on each resource. When one session ends, EntryGuard checks if other active sessions still need the rule:
- Other sessions still active — Rule stays in place, no interruption
- No more active sessions — Rule is removed
This means you can safely start a new session before an old one expires without losing access during the transition.
Automatic Cleanup
EntryGuard runs a background job every 60 seconds that:
- Finds sessions past their expiration time
- Transitions them to EXPIRING
- Queues IP rule removal tasks
- Updates status to EXPIRED after all rules are removed
No manual intervention is needed — expired sessions are always cleaned up automatically.
Error Handling
If IP rule application or removal fails due to a transient error (network timeout, API throttling), EntryGuard automatically retries with exponential backoff:
- Retry 1: After 30 seconds
- Retry 2: After 1 minute
- Retry 3: After 2 minutes
After 3 retries, the rule is marked as FAILED and logged in the audit trail.
API Reference: For programmatic access, see Sessions API.