Umbraco 12.3 introduced a new configuration setting to limit concurrent logins (https://github.com/umbraco/Umbraco-CMS/pull/14967). Umbraco:CMS:Security:AllowConcurrentLogins default value will be changed to false in Umbraco 13 as per https://github.com/umbraco/Umbraco-CMS/pull/14989. This will prevent a user account from creating simultaneous sessions by default, meaning that only 1 session is allowed to be active at a time. This setting can always be set to true to not invalidate other active user sessions.
The value of Umbraco:CMS:Security:AllowConcurrentLogins was true for existing projects but false for new projects, so the new config setting didn't break existing functionality.
New behavior
The default value of Umbraco:CMS:Security:AllowConcurrentLogins will change to false.
Type of breaking change
[ ] Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
[ ] Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
[X] Behaviour breaking
Reason for change
To have a more secure behaviour by default.
Recommended action
If concurrent logins are necessary, change the value of Umbraco:CMS:Security:AllowConcurrentLogins to true.
Description
Umbraco 12.3 introduced a new configuration setting to limit concurrent logins (https://github.com/umbraco/Umbraco-CMS/pull/14967).
Umbraco:CMS:Security:AllowConcurrentLogins
default value will be changed tofalse
in Umbraco 13 as per https://github.com/umbraco/Umbraco-CMS/pull/14989. This will prevent a user account from creating simultaneous sessions by default, meaning that only 1 session is allowed to be active at a time. This setting can always be set totrue
to not invalidate other active user sessions.More info: https://github.com/umbraco/UmbracoDocs/pull/5523
Version
Umbraco 13
Previous behavior
The value of
Umbraco:CMS:Security:AllowConcurrentLogins
wastrue
for existing projects butfalse
for new projects, so the new config setting didn't break existing functionality.New behavior
The default value of
Umbraco:CMS:Security:AllowConcurrentLogins
will change tofalse
.Type of breaking change
Reason for change
To have a more secure behaviour by default.
Recommended action
If concurrent logins are necessary, change the value of
Umbraco:CMS:Security:AllowConcurrentLogins
totrue
.Affected APIs
None