Ability to view and cancel active sessions

Started by Elf_Bloke, July 06, 2018, 11:00:00 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Elf_Bloke

July 06, 2018, 11:00:00 PM
The ability to view and cancel the current active login sessions on your account  is a very important security feature.

Use case 1: Ability to end sessions that are no longer needed. Thus removing potential account security risks
Here's a classic security nightmare. User X logs in via a public computer using a "Guest" account that everyone else uses. They have selected "Forever" for the session's lifespan and without direct access to the computer cannot force that session to end. Thus meaning that anyone who uses that computer will be able to access the account until the cookies are wiped.

Use case 2: Ability to self audit account for any potential misuse
User X belives that someone else is using their account behind their back. They can check the currently active sessions' IPs and user agent strings to ensure everything matches up. (Now, admittedly the administrator can always check the IPs themselves but adding more options for users to check for themselves before calling admin should help weed out unneccesary calls)

Pretty useful feature!

Kindred

#1
July 06, 2018, 11:03:52 PM
Just change the cookie name.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Aleksi "Lex" Kilpinen

#2
July 07, 2018, 02:47:55 AM
I do think you can cancel all active sessions for a username by logging out, and logging in again. So the problem isn't as bad as one might think.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

#3
July 07, 2018, 04:06:50 AM
The entire cookie system needs a redesign. It has larger flaws than those described above.

Elf_Bloke

#4
July 07, 2018, 09:13:52 AM
Quote from: Kindred on July 06, 2018, 11:03:52 PM
Just change the cookie name.
I'm talking on a user by user basis here (although the nuclear option of force logging everyone out is always good  ;))

Quote from: Aleksi "Lex" Kilpinen on July 07, 2018, 02:47:55 AM
I do think you can cancel all active sessions for a username by logging out, and logging in again. So the problem isn't as bad as one might think.

Huh, didn't know that :/
I still think this feature would be useful though for adformentioned reasons as well as manually logging in and out being a little clunky and non user friendly.

But regardless, I think what Aranator is saying is true. Maybe this is a symptom of a bigger problem.
If the cookie system ever does get reworked I personally think that adding in this kind of functionality would be a good idea.

SychO

#5
July 07, 2018, 09:29:01 AM
Wasn't this feature introduced in SMF 2.1 beta versions ?
Checkout My Themes:
-
Potato  •  Ackerman  •  SunRise  •  NightBreeze

Arantor

#6
July 07, 2018, 09:33:37 AM
No. The ability to track who logged in when/where is in the betas, but to achieve what is being discussed requires a redesign of the entire cookie + session system as implemented. It needs this anyway for security reasons.
Print
Go Up Pages1
User actions
Advertisement: