Understanding Sitecore User Licensing and the Kick User Tool

Author

Brandon Bruno

Published

January 23, 2018

Tags

Understanding Sitecore User Licensing and the Kick User Tool

About Concurrent User Licensing

Sitecore licensing has adopted a few different models over the years (generally being based on the number of CM/CD/dev instances being deployed, but lately consumption-based). One element of licensing has always been consistent: concurrent user limits.

User licensing is pretty simple: each user that logs into the Sitecore Client takes up a licensing slot, and you can't have more concurrent users than your license allows.

Kicking Users

When Sitecore reaches its user limit, new login attempts will be blocked and redirected to an error page:

The "Add users" button redirects to a page on www.sitecore.com and allows you to temporarily increase the number of concurrent users. Your license information is passed to Sitecore so they are aware that you're requesting to exceed your limit. Boosting users frequently means Sitecore might reach out and request an update to your license (read: more money).

The "Kick off user" button navigates to a list of current user sessions and allows an administrator to kick sessions from Sitecore:

What Really Happens When You Kick a User

Here's the thing: when you kick a user from Sitecore using the Kick User tool, you're only removing them from a license slot, not logging them out of Sitecore and ending their ASP.NET session. A logged-in user who is kicked will maintain their session cookie (in the browser) and reoccupy a license slot on their next request to the server. Most users who are actively using Sitecore would never notice they were kicked, unless they happened to leave their browser idle long enough for the user limit to be reached between requests.

Using DomainAccessGuard

To understand how user sessions are managed for licensing, it's important to understand the DomainAccessGuard class. This static class is located in Sitecore.Kernel.dll at Sitecore.Web.Authentication.DomainAccessGuard.

DomainAccessGuard is responsible for managing a list of user sessions and ensuring it doesn't grow past the limit dictated by the active Sitecore license. There is a Kick() method that removes a user session for licensing purposes, but does not log the user out of Sitecore (that's the responsibility of the membership provider).

The Kick Users page in Sitecore utilizes DomainAccessGuard on the backend. If you have Sitecore PowerShell Extensions available, you can manage license sessions directly:

	
# Get sessions for active users
[Sitecore.Web.Authentication.DomainAccessGuard]::Sessions

# Kick a user by SessionID
[Sitecore.Web.Authentication.DomainAccessGuard]::Kick('iv2axeq2pnydqxdhaiqkz5m5')

You can combine those two snippets and kick all users at once: 

	
# Kick all user sessions
[Sitecore.Web.Authentication.DomainAccessGuard]::Sessions | ForEach-Object { [Sitecore.Web.Authentication.DomainAccessGuard]::Kick($_.SessionID) }

It turns out this code isn't original, as I discovered Michael West had written almost the exact same code a few years ago.

SPE also provides shortcuts for the above code: Get-Session (documentation) and Remove-Session (documentation).

Do you have questions, comments, or corrections for this post? Find me on Twitter: @BrandonMBruno