Allow users to invalidate all their webui sessions

[wadells]

Thanks to Kunal Mhaske for reporting this to security@goteleport.com

What would you like Teleport to do?

As a teleport user, I'd like to:

1) invalidate my active webui sessions 2) view my active webui sessions

To illustrate the issue:

1. Log in to Firefox with a local teleport user. Select 'stay logged in to this device'.
2. Log in to Chrome with the same user. Select 'stay logged in to this device'.
3. Suspect compromise, change the password in either browser.
4. Notice that session in the other browser will remain active and cannot be forced to expire.

What problem does this solve?

This allows a user to invalidate their own web sessions in case of a suspected compromise or hardware loss.

Workaround

Use session locking. The downside here is this will prevent the user from logging in at all -- instead of only invalidating unwanted sessions.

Tested on Teleport v9.3.3.

See also:

• https://github.com/gravitational/teleport/issues/11147
• https://github.com/gravitational/teleport/issues/8620

[zmb3]

Thanks for linking to other relevant issues, @wadells.

[wadells]

For a look GithHub's implementation of this UI, check out the bottom of this page:

https://github.com/settings/security

Not saying this is the "right way" (I think it is a bit heavy for what we need). I just wanted to provide an example.

[gaursachin1642001]

For more Info : https://hackerone.com/reports/1941799