Add a way to sign out on all devices

codidact / qpixel

Q&A-based community knowledge-sharing software

https://codidact.com

GNU Affero General Public License v3.0

385 stars 69 forks source link

Add a way to sign out on all devices #1260

Closed cellio closed 9 months ago

cellio commented 9 months ago

meta:289211

If you've accidentally left yourself logged in on a device you don't have access to any more (like a public computer or a phone that's been lost), there's no way to remotely sign out on that device. This poses a security vulnerability. Can we add a way to sign out on all devices? Is something stored on the server that can be revoked, or is login state all client-side?

ArtOfCode- commented 9 months ago

Not currently possible. Sessions are all client-side via cookies at the moment. We have the option to put them in the database, but that's a decent size change - if and when we move to multiple web servers we'll need to do it, but at the moment we don't. Declining for now, but we can revisit in the future when we're looking at this again.