Forums / Cotonti / Development / Logout - Kill all Sessions

Kilandor
#1 2012-02-19 14:11

Currently when you logout as a user it simply destroys your session, and cookie if you have one. Your last SID is still stored in the database, which allows you to easily be logged in from multiple locations, and just kill the login at that location.

This is good and bad, it leaves you the freedom to login from a laptop or a phone or your pc and stay logged in on all of them. Downside is if for some reason you want or need to logout of all sessions it is impossible. There are multiple reason to want or need this, security, cookie theft, stolen device, and so on.

The solution is simple the SID in the database simply need be destroyed.

I propose the following
Keep the logout the way it exists now but with an added option another link, checkbox or something of the sort, to do a complete logout which will kill all other sessions. Further options could be a configuration for an admin (maybe some secure site) so that a logout will always kill all sessions

 

GHengeveld
#2 2012-02-19 17:31

Good idea. Several forum systems I know have implemented this using an additional checkbox/url param to kill all sessions. Should be simple to implement.

Eugene
#3 2012-02-20 19:22

If this option going to be implemeted - better include that in config.php -> there is section about auth there. This is kind of option to change rarely (not required to be in admin area of web-site)...