search

laravel / ideas

Issues board used for Laravel internals discussions.
939 stars 28 forks source link

[Proposal] Support for multiple remember tokens #971

Closed arondeparon closed 4 years ago

arondeparon commented 6 years ago

The current way of storing a "remember me" token in the the remember_token column with the user restricts the use of this feature to a single device.

Scenario:

A possible solution to this problem is to separate the remember tokens from the users table and store them in a separate remember_tokens table.

michaeldyrynda commented 6 years ago

I’d be curious how often a user is generating tokens on multiple devices anyway. Seems like an edge case you could handle in your own app though, I don’t think it’s something that’ll happen that often to warrant such a change.

sisve commented 6 years ago

I have a work computer, a home computer, and a mobile phone. GitHub remembers me on all three devices. Imagine how annoying it would be if I was forgotten everytime I changed device...

This is also supported by BitBucket, Google, Slack, Facebook, and almost everything I use (except Jenkins). It's not a weird feature request at all, and it is just one more database table.

crynobone commented 6 years ago

Laravel only cycle the remember token if it is empty https://github.com/laravel/framework/blob/5.5/src/Illuminate/Auth/SessionGuard.php#L447

However it does reset the remember token if you logout from one of the device. Which I find should be expected behaviour unless you doing something similar to Facebook where you can remotely revoke access from each devices.

That would be a nice feature for 3rd party package IMHO.

On Fri, Jan 26, 2018, 5:22 PM Simon Svensson notifications@github.com wrote:

I have a work computer, a home computer, and a mobile phone. GitHub remembers me on all three devices. Imagine how annoying it would be if I was forgotten everytime I changed device...

This is also supported by BitBucket, Google, Slack, Facebook, and almost everything I use (except Jenkins). It's not a weird feature request at all, and it is just one more database table.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/laravel/internals/issues/971#issuecomment-360727532, or mute the thread https://github.com/notifications/unsubscribe-auth/AAKjpnD6ceR09jfYG2P0Y_g4LAAOtHYpks5tOZlBgaJpZM4RsiR2 .

arondeparon commented 6 years ago

@crynobone

However it does reset the remember token if you logout from one of the device. Which I find should be expected behaviour unless you doing something similar to Facebook where you can remotely revoke access from each devices.

I expect this is actually intended behavior because it prevents the cookie from being hijacked after you log out.

If the remember token was not be cycled after logging out, an attacker could theoretically still login using your cookie.

michaeldyrynda commented 6 years ago

Right, so as @crynobone points out, you can login on multiple devices simultaneously as the remember token only changes when the token is empty, which ought to only happen when you log out.

Having multiple tokens would allow you to boot a single session without having to boot all of them, though i.e. if your account was compromised.

taylorotwell commented 6 years ago

I'm definitely open to a PR in this area for 5.7 if someone wants to look into it.

hubertnnn commented 6 years ago

One issue I see in current implementation (shared remember token) is that if user logs out on temporary device, then he will get logged out everywhere.

Example:

  1. I login on my personal computer with remember me
  2. I login in my phone with remember me
  3. I login at work with remember me
  4. I login at friend's house (without using remember me)
  5. I logout at friend's house (effect: I am logged out from all devices above)
powelski commented 6 years ago

+1 for this request. It's not 2000 anymore, jumping from one device to another is a standard today. Laravel still works better than many other systems that just log you out once you log in on another device. Laravel forgets all your Remember Me sessions only if you explicitly log out on any device.

The reason for this is that the remember token gets changed every time you log out. That's kinda quirky by the way, because even if you never use Remember Me option, your token will still be generated for you whenever you explicitly log out. I'd call it a small security hole.

I think remember tokens should definitly go to separate table and make each device independent. Logging you out of all remembered sessions when you log out wherever makes for an illogical behavior. @hubertnnn gave a perfect example. People who regularily use non-trusted devices and will log out explicitly a lot, can forget about Remember Me option, as they will go crazy with being logged out all the time.

cosecantt commented 6 years ago

@hubertnnn

I login on my personal computer with remember me I login in my phone with remember me I login at work with remember me I login at friend's house (without using remember me) I logout at friend's house (effect: I am logged out from all devices above)``

That is exactly correct. If you log out in one of your devices the remember_me token will get refreshed which will affect all remembered devices. Need independent remembering per device feature on Laravel 5.7

dvlpr91 commented 6 years ago

@hubertnnn

I login on my personal computer with remember me I login in my phone with remember me I login at work with remember me I login at friend's house (without using remember me) I logout at friend's house (effect: I am logged out from all devices above)``

That is exactly correct. If you log out in one of your devices the remember_me token will get refreshed which will affect all remembered devices. Need independent remembering per device feature on Laravel 5.7

I think so. But it was not solved.

tomsisk commented 6 years ago

We created a package for this because we needed the functionality now: https://github.com/barchart/laravel-remember-all

Looking for feedback, and then perhaps we can open a pull request to Laravel core.

CyrilMazur commented 6 years ago

@tomsisk I went through the code, it looks fine to me. I think you'll get more feedbacks if you open a PR, it'll be more visible. Looking forward to see this feature in Laravel core!

ow commented 5 years ago

I don't like bumping old threads but I was surprised to find this is an issue in Laravel only after implementing a project recently. With ~100 users I get at least a daily complaint about this, and it makes Progressive Web Apps useless because Laravel breaks the PWA session as soon as the user signs in on a computer.

I'd love to see this merged in core, it's a serious issue that I was surprised to see hasn't even been beyond the ideas phase yet.

d-damien commented 5 years ago

While I get the idea, being able to log out from all devices at once is also a feature (use cases : someone steals your stuff and you have only one device left, or you forgot to logout from an unsafe place).

Maybe we could have a /sessions route amongst the default Auth::routes() with a button to log out from each (or all except current).

ManojKiranA commented 5 years ago

Sounds good. So that we can set remember_me on multiple devices

lucasdcrk commented 4 years ago

This should definitely be integrated into Laravel's core. As @powelski pointed nearly every user use at least 2 devices, and this so annoying to log back in each time.

JackEllis commented 4 years ago

I'd love some comments on my PR for this: https://github.com/laravel/framework/pull/30839

JackEllis commented 4 years ago

@ArondeParon This can be closed as it exists now (see https://github.com/laravel/docs/pull/5659)

arondeparon commented 4 years ago

Nice find! Closing issue.