search

amnah / yii2-user

Yii2 user authentication module
MIT License
253 stars 104 forks source link

Change auth_key when have a new password #206

Open mingchi21 opened 6 years ago

mingchi21 commented 6 years ago

I got a problem, if I login on other device with [Remember Me] checked and forget logout. Then the device can stay login until manual logout. Even I change the passwd at any other device ,the logged device can access my account still. The program achieve [Remember Me] by check the cookie with id and auth_key. I think it should regenerate the auth_key when passwd changed and the code at models/User.php will be modified like following. So when I change passwoed on one device, the other logged devices will lose it's logged state after close the brower. 

/**
     * @inheritdoc
     */
    public function beforeSave($insert)
    {
        ...
        // hash new password if set
        if ($this->newPassword) {
            $this->password = Yii::$app->security->generatePasswordHash($this->newPassword);
            $this->auth_key = Yii::$app->security->generateRandomString();
        }
amnah commented 6 years ago

Hmmm good idea, but unfortunately your solution wouldn't really work. It's a bit more complicated than just changing their auth_key.

https://github.com/yiisoft/yii2/blob/master/framework/web/User.php#L670-L712

From here you can see that it checks the session first. If it fails the session check, then it falls back to the cookie/auth_key check.

So to accomplish what you want, you would need to start storing the user's session somewhere (eg, in the database) and then invalidate all the sessions through that.

mingchi21 commented 6 years ago

OK,got it, thanks.

amnah 於 2018年05月05日 20:34 寫道:

Hmmm good idea, but unfortunately your solution wouldn't really work. It's a bit more complicated than just changing their |auth_key|.

https://github.com/yiisoft/yii2/blob/master/framework/web/User.php#L670-L712

From here you can see that it checks the session /first/. If it fails the session check, /then/ it falls back to the cookie/|auth_key| check.

So to accomplish what you want, you would need to start storing the user's session somewhere (eg, in the database) and then invalidate all the sessions through that.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/amnah/yii2-user/issues/206#issuecomment-386802527, or mute the thread https://github.com/notifications/unsubscribe-auth/AFRLShXdw_on7u-DRBem31cbV0tiXiy4ks5tvZxJgaJpZM4TyWZx.