Open ghost opened 5 years ago
@distantnative commented on Jun 20, 2018, 4:41 PM UTC:
lukasbestle your opinion: crucial for 3.0 or could also be added in 3.0.x or 3.1?
@lukasbestle commented on Jun 20, 2018, 6:04 PM UTC:
As this is a new feature that we don't have in v2, I think it's totally fine to add this later. But not too late as our new "remember me" sessions can have a much longer session duration than our old unreliable and very short sessions and should therefore be automatically expired on password changes.
No idea how this ended up in an Alpha milestone though. Maybe we renamed a milestone at some point?
@distantnative commented on Jun 20, 2018, 9:19 PM UTC:
Yea I renamed the Beta 1 milestone to Alpha 11 today to match the upcoming releases. But I think 3.1 sounds good.
@lukasbestle commented on Apr 7, 2018, 1:18 PM UTC:
For better security, all sessions except the current one should automatically expire when the user changes his/her password or by manually clicking "expire all other sessions" in the Panel.
This can be done by storing the timestamp of the login in the session. In the user file, there should be a timestamp of the last password change (let's call it the
sessionValidator
). This timestamp will be reset on every password change or click on the "expire all other sessions" button.When checking if the current session is valid, the timestamp in the user file can be compared to the one in the session. The one in the session must be greater than the one in the user file, otherwise
$kirby->user()
needs to returnnull
.To do:
User
prop calledsessionValidator
. Initialize it with the current time on user creation.time()
in a session property in$user->login()
.$user->logout()
.$kirby->user()
method.This issue was moved by bastianallgeier from k-next/kirby#385.