While utilizing Sugar, users may be unexpectedly logged out of the system. This article covers several reasons that the browser may automatically log a user out as well as some high-level troubleshooting tips.

Multiple Sessions Under the Same Username
Sugar only permits a username to be logged in under one session, and any additional user sessions started using the same username will log out the previous session. This behavior is for your security as Sugar does not allow multiple sessions for the same username from different computers or browsers.
​
If any additional user session is detected, the user will be automatically logged out of the system and will have to log back into Sugar. To prevent situations like this, please do not share your login credentials (username and password) with others. This will ensure that only one session is active with each username.

When a user does not perform any actions in Sugar for a period of time, the user is automatically logged out.
​
When a user logs into Sugar, an access token and a refresh token are returned which regulate the user's session timeouts in Sugar. If the access token expires during an active user session, Sugar will automatically pull for another access token as long as the refresh token is not expired. This allows the current session to be active indefinitely.
​
The default settings for Sugar are as follows:

Please note that you can configure the Refresh Token Lifetime and Access Token Lifetime settings to best meet your organization's needs.
​
​Note: Automatic notification queries are made to the server on a user's behalf at a default interval of every 5 minutes. Sugar interprets these queries as user activity and will cause the current session to remain active without actual user input. For more information, please refer to the Setting Sugar's Notification Delay section below.

A user's IP address may change for a number of reasons. If a user's IP address changes while they are logged into Sugar the system, by default, will log the user out and force the user to log back in. The Client IP verification will return the error "You have been logged out because your session has expired." as well as logging "IP Address mismatch: SESSION IP: CLIENT IP: " in the Sugar log.
​
Disable client IP verification using the following steps:
​
​Note: Beginning with version 10.1.0, the "Validate user IP address" setting is disabled by default in Admin > System Settings.

Sugar uses your internet browser's cache to optimize page-load speeds and general performance by saving and reloading visited pages instead of pulling the same data over and over again each time you revisit a page. Beginning with version 10.0.0, when a user first logs into Sugar, they must accept the use of cookies in the application to help provide a better user experience.
​
Occasionally, users may need to clear their browser's cache and cookies, and the methods used to perform this action will vary depending on the browser and operating system they use. Please note that performing this action can remove cookies from Sugar, which will end the user's current session and automatically log them out of the system. The user will need to log back into Sugar to access their account again.

When a user is logged on to a Windows computer, they will be automatically logged out of Sugar if they close their browser including all Sugar tabs. When the user reopens their browser to access Sugar, they must log in to the instance again. Please note that all active Sugar browser tabs must be closed for you to get logged out of the system, so if you still have some other Sugar windows open, then you will still be logged in.
​
Using Mac OS X, this behaves slightly differently. A user must quit the browser process completely for Sugar to automatically log them out. Simply closing the browser tabs will not log the user out of Sugar. Furthermore, the end user's browser must be configured to allow this setting to log them out. Network Administrators may choose to enforce a browser security policy on their networked machines to verify that this setting is not modified by the end-user.
​
For example, to adjust this setting on a user's Chrome browser, navigate to Settings, Privacy and security, Site Settings, Cookies and site data then enable the Clear cookies and site data when you quit Chrome option. If this option is not enabled, then the user's session will remain active in Sugar until their token expires via other means.