[Feature request] Logout all users / specific user from all device #1245

lcharette · 2024-03-10T19:59:48Z

See #1112. There's is a valid need to be able to logout a specific user, or all user for that matter, from all logged in devices/browser. It's not as simple as removing the "remember me" token in the persistence table. The PHP session also needs to be voided.

Note that calling logout as proposed in #1112 doesn't work, as a) it will void the current user session (can't work to force logout another user) and b) the session from a second browser won't be invalidated.

This function could be available in the admin panel as a button the root user can use to do it manually, or for security measure when modifying a password as described in #1112.

The text was updated successfully, but these errors were encountered:

lcharette added core feature request Feature request security Framework security issue V5 labels Mar 10, 2024

lcharette added this to the 5.2.0 milestone Mar 10, 2024

lcharette added this to UserFrosting Task Planner Mar 10, 2024

lcharette mentioned this issue Mar 10, 2024

Security Fix for Session Fixation - huntr.dev #1112

Closed

lcharette moved this to Todo 5.2.0 in UserFrosting Task Planner Mar 10, 2024

lcharette moved this from Todo 5.2.0 to Not Started in UserFrosting Task Planner Apr 13, 2024

lcharette modified the milestones: 5.2.0, 5.3.0 Apr 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Feature request] Logout all users / specific user from all device #1245

[Feature request] Logout all users / specific user from all device #1245

lcharette commented Mar 10, 2024

[Feature request] Logout all users / specific user from all device #1245

[Feature request] Logout all users / specific user from all device #1245

Comments

lcharette commented Mar 10, 2024