-
Notifications
You must be signed in to change notification settings - Fork 790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session validation improvement #885
Comments
kristuff
added a commit
to kristuff/huge
that referenced
this issue
Jun 6, 2020
like proposed her panique#885
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a user is suspended using
AdminModel::setAccountSuspensionAndDeletionStatus()
that internally callsAdminModel::resetUserSession()
method, the feedback message says "The selected user has been successfully kicked out of the system (by resetting this user's session)",That's not really true. In facts, the suspended user is still able to access protected pages until its session expires or he logouts. (Then, he is not able to login anymore as expected)
There is no way to kick out the user instantanitly (strictly speaking). On the other hand, it's possible, with a minor change, to not wait its session expires.
The
Session::isConcurrentSessionExists()
method that checks for session concurrency could be changed toSession::isSessionBroken()
and check two things (with only one database call) :This way, the suspended user is kicked out as soon he tries to access another page.
Actual method in
Session
class:Proposed:
and don't forget to change function in
Auth
classI made that change in another project, and could make a PR.
Regards
The text was updated successfully, but these errors were encountered: