Logon sessions

A logon session is the kernel object that records a single authentication event. Every token belongs to exactly one session. This page covers what a session is, the logon SID it carries, and how it ties together every token issued from one sign-in.

Every logon session is tagged with a logon type — Interactive, Network, Service, Batch, NetworkCleartext, or NewCredentials. This page covers what each type means, when it is used, and how the type ends up in audit and access decisions.

A logon session is created by authd at successful authentication and destroyed when its last token reference drops. This page covers the creation path, the destruction event, and how userspace implements forced logout — there is no kernel revocation primitive.

logonse is the command-line tool for logon sessions — listing them, seeing which processes belong to one, creating and destroying them, and setting a process's mitigation flags.