Advertisement:

Author Topic: Ability to view and cancel active sessions  (Read 330 times)

Offline Elf_Bloke

  • Newbie
  • *
  • Posts: 3
Ability to view and cancel active sessions
« on: July 06, 2018, 11:00:00 PM »
The ability to view and cancel the current active login sessions on your account  is a very important security feature.

Use case 1: Ability to end sessions that are no longer needed. Thus removing potential account security risks
Here's a classic security nightmare. User X logs in via a public computer using a "Guest" account that everyone else uses. They have selected "Forever" for the session's lifespan and without direct access to the computer cannot force that session to end. Thus meaning that anyone who uses that computer will be able to access the account until the cookies are wiped.

Use case 2: Ability to self audit account for any potential misuse
User X belives that someone else is using their account behind their back. They can check the currently active sessions' IPs and user agent strings to ensure everything matches up. (Now, admittedly the administrator can always check the IPs themselves but adding more options for users to check for themselves before calling admin should help weed out unneccesary calls)

Pretty useful feature!

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 56,480
  • Gender: Male
    • Kindred-999 on GitHub
Re: Ability to view and cancel active sessions
« Reply #1 on: July 06, 2018, 11:03:52 PM »
Just change the cookie name.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Online Aleksi "Lex" Kilpinen

  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 17,071
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • aleksi-kilpinen on LinkedIn
Re: Ability to view and cancel active sessions
« Reply #2 on: July 07, 2018, 02:47:55 AM »
I do think you can cancel all active sessions for a username by logging out, and logging in again. So the problem isn't as bad as one might think.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,771
    • Arantor on GitHub
Re: Ability to view and cancel active sessions
« Reply #3 on: July 07, 2018, 04:06:50 AM »
The entire cookie system needs a redesign. It has larger flaws than those described above.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

Offline Elf_Bloke

  • Newbie
  • *
  • Posts: 3
Re: Ability to view and cancel active sessions
« Reply #4 on: July 07, 2018, 09:13:52 AM »
Just change the cookie name.
I'm talking on a user by user basis here (although the nuclear option of force logging everyone out is always good  ;))

I do think you can cancel all active sessions for a username by logging out, and logging in again. So the problem isn't as bad as one might think.

Huh, didn't know that :/
I still think this feature would be useful though for adformentioned reasons as well as manually logging in and out being a little clunky and non user friendly.

But regardless, I think what Aranator is saying is true. Maybe this is a symptom of a bigger problem.
If the cookie system ever does get reworked I personally think that adding in this kind of functionality would be a good idea.

Offline SychO

  • Jr. Member
  • **
  • Posts: 222
  • Gender: Male
    • SychO9 on GitHub
    • SychO
Re: Ability to view and cancel active sessions
« Reply #5 on: July 07, 2018, 09:29:01 AM »
Wasn't this feature introduced in SMF 2.1 beta versions ?

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,771
    • Arantor on GitHub
Re: Ability to view and cancel active sessions
« Reply #6 on: July 07, 2018, 09:33:37 AM »
No. The ability to track who logged in when/where is in the betas, but to achieve what is being discussed requires a redesign of the entire cookie + session system as implemented. It needs this anyway for security reasons.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.