-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
馃殌 Feature: Delete all user sessions on blocking a user #6061
Comments
I think an even better solution would be to automatically end the previous session if a new session is being created. I'm not sure about the security concerns of this though |
For that use-case it is probably best to set the session limit per user to 1 in the Auth Security tab. You might want a user to be logged in on multiple devices at the same time and your thought would deny that. |
Hi, thank you for opening this issue, but would it make sense for you to maybe set the limit once and then try it out? https://appwrite.io/docs/authentication-security#limits I thinj, there are some potential downsides to doing this. In some cases, retaining the session might be necessary for auditing or investigative purposes, especially in applications that require high security. Also, automatically deleting sessions could result in data loss if the user was in the middle of an unsaved task. There might be scenarios where an account is temporarily blocked due to some system or admin error. In such cases, deleting all sessions would force the user to log back into all devices, which could be an inconvenience. Can you let me know if setting the limit does the work for you and what are your thoughts? |
Thanks @joeyouss for the detailed answer. You are totally right. You do not want to delete all of the users sessions for that purposes. Even with a session limit set to 1 my issue would still be not fixed - beside the fact it is not my goal to limit the user to have only 1 active session. As a workaround I wrote a function that deletes all sessions for every user that is blocked. I think it is not necessary to still work on this issue due to Joe's explanation. |
Just noticed I can not execute the function from that session since the "current user is blocked" and can not execute a function with "any" execute access. Any workaround to recommend? |
Changed to a scheduled execution every 15 minutes which is totally fine for me. For me this is kinda solved now with this workaround. |
Another option would be to write a function that is triggered on the There is a small caveat tho, as mentioned in the Known Limitations section:
|
We would like to move forward with updating the Update user status API to also delete sessions. |
馃敄 Feature description
When deleting a user in the appwrite backend the sessions are still stored and not deleted.
Therefore a different user using the same device wont be able to sign in because the request is completely blocked.
馃帳 Pitch
In my use-case it would make more sense to delete all sessions when a user is blocked since other users might not be able to sign in because the requests get rejected due to the blocked users sessions.
Steps:
馃憖 Have you spent some time to check if this issue has been raised before?
馃彚 Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: