search

benedmunds / CodeIgniter-Ion-Auth

Simple and Lightweight Auth System for CodeIgniter
http://benedmunds.com/ion_auth/
MIT License
2.34k stars 1.14k forks source link

Other sessions after changing password/resetting it in one are still active. #491

Closed SystemZ closed 11 years ago

SystemZ commented 11 years ago

After changing password or resetting it in one session, other sessions are active and valid, when using "remember me". It's bug/feature or my configuration ?

benedmunds commented 11 years ago

That's an intended feature since it is more efficient to use the session in memory instead of querying every time to check.

I can walk you through changing this for your implementation if needed.

SystemZ commented 11 years ago

I would really appreciate if you could point out how to do it. I need to log out all active sessions when user resets or changes their password.

benedmunds commented 11 years ago

Yea np. I'm on vacation the first part of this week so will get back to you later this week or this weekend.

-Ben Edmunds

On Aug 26, 2013, at 5:38 AM, SystemZ notifications@github.com wrote:

I would really appreciate if you could point out how to do it. I need to log out all active sessions when user resets or changes their password.

— Reply to this email directly or view it on GitHubhttps://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/491#issuecomment-23254908 .

SystemZ commented 11 years ago

Ok, I'll wait :)

benedmunds commented 11 years ago

This has not be tested but should show you enough so you can implement it:

//this needs to be in your model

//assuming users_m is your model
class users_m
{
    function check_password()
    {
        //add password to the select
        $this->db->select('password');
        $db_password_hash = $this->ion_auth->user()->row()->password;
        $password_hash = $this->session->userdata('password_hash');

        if ($db_password_hash !== $password_hash)
        {
            $this->ion_auth->logout();
        }
    }

    function add_password_hash_to_session()
    {
        $this->db->select('password');
        $db_password_hash = $this->ion_auth->user()->row()->password;

        $this->session->set_userdata('password_hash', $db_password_hash);
    }
}

//this needs to be in your controller constructor or similar

//set the hook to add the password hash to the session
$this->ion_auth->set_hook('post_set_session', 'post_set_session_add_password_hash_to_session', 'users_m', 'add_password_hash_to_session');

//set the hook to check that the password from the session and db match
$this->ion_auth->set_hook('logged_in', 'logged_in_check_password', 'users_m', 'check_password');
SystemZ commented 11 years ago

I'll check if it works in few days. Thanks for your time :)

SystemZ commented 11 years ago

I used it little bit different, but it works perfectly :) Thank you for your time!