Open calmyournerves opened 12 years ago
Any news on this?
It will be good to have this functionality as far as I know there is no any implementation of that. It could be very similar to that what is in google right now. When you logs into application you can who and from where is logged in. And of course you can logs out all existing sessions.
I do not know if the best solution is to add this only when you change the password. Because it can happen also when you for example forgot to logs out from other computer or something like that.
If you have any proposition just pull request, in mean while I will try also prepare something.
Hello fellow developers!
Given the following scenario: User A logs into an application behind CAS. Evil user B stole user A's password and logs in too. The RubyCAS-Server now has two tickets (separate sessions) for each user. User A now finds out what's going on and changes his password, user B remains logged in.
How do you guys deal with this? We have implemented a custom method which deletes all tickets for a given user (eg. /global-logout, only called when a user changed his password). But looking at the CAS protocol specs, this issue doesn't seem to be addressed.
Do you have other solutions for this or did I miss something? Should I create a Pull Request?