The recommendation from the investigation on the framework issue regarding UX weaknesses of logging out across devices on https://github.com/silverstripe/silverstripe-framework/issues/9794 was that the default value of RememberLoginHashlogout_across_devices should be changed from true to false if session-manager is installed
The original UX issue of logout_across_devices = true being a bit weird still remains. It should still stay in place if session-manager is not installed otherwise there is no way to logout malicious devices.
If session manager is installed, then set disable logout_across_devices = false as a default in config, though this also may be reset to true in project config
Note: No matter what value is set the logic in Revoke a single session will set logout_across_devices to false for the duration of a 'revoke' request, essentially ignoring the config value
ACs
[x] The default value of logout_across_devices remains the same as true if session-manager is not installed
[x] The default value of logout_across_devices is false if session-manager is installed
[x] Projects can override this and set the default value of logout_accross_devices to true if session-manager is installed
[x] Project documentation is updated to reflect this
The recommendation from the investigation on the framework issue regarding UX weaknesses of logging out across devices on https://github.com/silverstripe/silverstripe-framework/issues/9794 was that the default value of
RememberLoginHash
logout_across_devices
should be changed fromtrue
tofalse
if session-manager is installedThe original UX issue of
logout_across_devices
=true
being a bit weird still remains. It should still stay in place if session-manager is not installed otherwise there is no way to logout malicious devices.If session manager is installed, then set disable
logout_across_devices
=false
as a default in config, though this also may be reset to true in project configNote: No matter what value is set the logic in Revoke a single session will set
logout_across_devices
tofalse
for the duration of a 'revoke' request, essentially ignoring the config valueACs
logout_across_devices
remains the same astrue
if session-manager is not installedlogout_across_devices
isfalse
if session-manager is installedlogout_accross_devices
totrue
if session-manager is installedPRs