Simple Machines Community Forum

SMF Development => Feature Requests => Topic started by: Elf_Bloke on July 06, 2018, 11:00:00 PM

Title: Ability to view and cancel active sessions
Post by: Elf_Bloke on July 06, 2018, 11:00:00 PM
The ability to view and cancel the current active login sessions on your account  is a very important security feature.

Use case 1: Ability to end sessions that are no longer needed. Thus removing potential account security risks
Here's a classic security nightmare. User X logs in via a public computer using a "Guest" account that everyone else uses. They have selected "Forever" for the session's lifespan and without direct access to the computer cannot force that session to end. Thus meaning that anyone who uses that computer will be able to access the account until the cookies are wiped.

Use case 2: Ability to self audit account for any potential misuse
User X belives that someone else is using their account behind their back. They can check the currently active sessions' IPs and user agent strings to ensure everything matches up. (Now, admittedly the administrator can always check the IPs themselves but adding more options for users to check for themselves before calling admin should help weed out unneccesary calls)

Pretty useful feature!
Title: Re: Ability to view and cancel active sessions
Post by: Kindred on July 06, 2018, 11:03:52 PM
Just change the cookie name.
Title: Re: Ability to view and cancel active sessions
Post by: Aleksi "Lex" Kilpinen on July 07, 2018, 02:47:55 AM
I do think you can cancel all active sessions for a username by logging out, and logging in again. So the problem isn't as bad as one might think.
Title: Re: Ability to view and cancel active sessions
Post by: Arantor on July 07, 2018, 04:06:50 AM
The entire cookie system needs a redesign. It has larger flaws than those described above.
Title: Re: Ability to view and cancel active sessions
Post by: Elf_Bloke on July 07, 2018, 09:13:52 AM
Just change the cookie name.
I'm talking on a user by user basis here (although the nuclear option of force logging everyone out is always good  ;))

I do think you can cancel all active sessions for a username by logging out, and logging in again. So the problem isn't as bad as one might think.

Huh, didn't know that :/
I still think this feature would be useful though for adformentioned reasons as well as manually logging in and out being a little clunky and non user friendly.

But regardless, I think what Aranator is saying is true. Maybe this is a symptom of a bigger problem.
If the cookie system ever does get reworked I personally think that adding in this kind of functionality would be a good idea.
Title: Re: Ability to view and cancel active sessions
Post by: SychO on July 07, 2018, 09:29:01 AM
Wasn't this feature introduced in SMF 2.1 beta versions ?
Title: Re: Ability to view and cancel active sessions
Post by: Arantor on July 07, 2018, 09:33:37 AM
No. The ability to track who logged in when/where is in the betas, but to achieve what is being discussed requires a redesign of the entire cookie + session system as implemented. It needs this anyway for security reasons.