Ghost: Delete sessions by user_id when user password is changed.

Created on 3 Jan 2019  路  8Comments  路  Source: TryGhost/Ghost

Supersedes https://github.com/TryGhost/Ghost/issues/6384

The sessions table contains a user_id column, we should remove all sessions (including the current?) for the logged in user when the password is changed

api help wanted pinned server / core
Source
picture allouis

All 8 comments

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 3 Apr 2019

Not stale

kevinansfield picture kevinansfield on 3 Apr 2019
👍1

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 2 Jul 2019

Think there's a fundamental question asked in the issue description that is yet to be answered:

we should remove all sessions (including the current?)

Checked the flow of password reset/session behavior in other sites for reference. And it is the same across StackOverflow, GitHub and Twitter: current session is kept, all the rest are removed. So think it's sensible to keep the same behavior here.

If we go with the above-mentioned flow (which makes sense to me), we'd need to think of a way to pass session id into the "frame" (frame.user object) to be able to remove only "other" sessions.

Think the least intrusive way of doing so would be extending current frame.user object assigned in session middleware, with additional session_id attribute. This conceptually seems to make sense as the session is only associated with the user, and don't see any good reason to introduce separate frame.session.

@allouis what do you think about the above? Was there any other research done on this topic?

/cc @vikaspotluri123

naz picture naz on 8 Jul 2019
👍1

@gargol keep the current session - we don't want to log someone out immediately when they change their password, main aim is to make sure old sessions on other devices are destroyed so that they can no longer be used until there's a successful login with the new password.

kevinansfield picture kevinansfield on 15 Jul 2019
👍1

I would like to work on this one

dawidcyron picture dawidcyron on 19 Oct 2019

@dawidcyron cool! If you start any work please make sure to incorporate a big chunk that has already been done in https://github.com/TryGhost/Ghost/pull/10872 :wink:

naz picture naz on 19 Oct 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 17 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ss4344 picture ss4344  路  4Comments
RadoslavGatev picture RadoslavGatev  路  3Comments
HenryMarshall picture HenryMarshall  路  4Comments
jgreenemi picture jgreenemi  路  4Comments
kirrg001 picture kirrg001  路  3Comments