[RFC|Merged] Ability to delete auto login keys

These requests for comments/change have lead to an implemented feature that has been successfully merged into the 3.1/Ascraeus branch. Everything listed in this forum will be available in phpBB 3.1.
User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

[RFC|Merged] Ability to delete auto login keys

Post by bantu » Wed Apr 14, 2010 2:27 pm

I'd like to suggest to introduce an option to delete auto-login keys from the UCP.

What?
  • A list of auto login cookie keys the current user has shall be listed somewhere in the UCP.
  • The option to delete/revoke any specific key shall be given to the user.
Why?
  • It's currently not possible to delete auto login keys used on computers where you accidentally stayed logged in.
  • Logout does only delete the key being used at the moment of logout (if any).
Implementation Details
We currently (3.0.x) store the following data in the session key table.
  • key
  • user_id
  • last_login
I'd suggest to add
  • The last IP this key has been used from
  • The last User-Agent this key has been used from
to give some more useful data to the user.

A user interface / ucp module has to be written.

Ticket
http://tracker.phpbb.com/browse/PHPBB3-9647
Pull Request
https://github.com/phpbb/phpbb3/pull/652

User avatar
naderman
Product Manager
Product Manager
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC] Ability to delete auto login keys

Post by naderman » Wed Apr 14, 2010 2:39 pm

Sounds pretty useful, looking forward to a patch! :mrgreen:

code reader
Registered User
Posts: 653
Joined: Wed Sep 21, 2005 3:01 pm

Re: [RFC] Ability to delete auto login keys

Post by code reader » Wed Apr 14, 2010 4:39 pm

counter proposal:
instead of listing all the machines someone logged in from (might not even be useful in case someone lives behind a NAT router, such as on a campus), wouldn't it be simpler and more effective to just provide an interface to remove (or replace) the current key?
supposedly (as far as i understand) this will render all the auto-login cookies useless, and will require a new login from each of those machines.

simpler, more elegant and achieve the desired outcome.

peace.

User avatar
naderman
Product Manager
Product Manager
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC] Ability to delete auto login keys

Post by naderman » Wed Apr 14, 2010 5:03 pm

It definately is a lot simpler from an end users perspective. On the other hand what Andreas suggested gives you a lot more power, not sure what the best choice in this case would be. It might be useful to be able to see what autologin cookies are still in the system.

User avatar
MichaelC
Development Team
Development Team
Posts: 889
Joined: Thu Jan 28, 2010 6:29 pm

Re: [RFC] Ability to delete auto login keys

Post by MichaelC » Wed Apr 14, 2010 5:50 pm

I think the suggestions by bantu would be better than yours simply because of the coding side of actually doing it.
Formerly known as Unknown Bliss
psoTFX wrote: I went with Olympus because as I said to the teams ... "It's been one hell of a hill to climb"
No unsolicited PMs please except for quotes.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC] Ability to delete auto login keys

Post by bantu » Wed Apr 14, 2010 6:44 pm

code reader wrote:instead of listing all the machines someone logged in from (might not even be useful in case someone lives behind a NAT router, such as on a campus), wouldn't it be simpler and more effective to just provide an interface to remove (or replace) the current key?
NAT is not really an issue. If one is not sure which key to remove, he/she just removes all. Most people will be able to differentiate between their campus key and home key based on the IP. It should be possible to lookup all the IPs in RDNS to ease this step up.
Removing the current key doesn't really help, because one can have many keys. You can remove the current key by using Logout.
code reader wrote:supposedly (as far as i understand) this will render all the auto-login cookies useless, and will require a new login from each of those machines.
Yes. This is what you want when you accidently selected "Log me in automatically" before logging in, e.g. on a shared computer.

Nelsaidi
Registered User
Posts: 122
Joined: Tue Nov 11, 2008 5:44 pm

Re: [RFC] Ability to delete auto login keys

Post by Nelsaidi » Wed Apr 14, 2010 6:50 pm

bantu wrote: I'd suggest to add
  • The last IP this key has been used from
  • The last User-Agent this key has been used from
to give some more useful data to the user.

A user interface / ucp module has to be written.
This would be good, aswell as possible ending sessions? - Can help increase security - You know in Gmail, how you can see the last 5 IP's logged in, their user agents, such a system may be good security wise.

But I like this idea :D

code reader
Registered User
Posts: 653
Joined: Wed Sep 21, 2005 3:01 pm

Re: [RFC] Ability to delete auto login keys

Post by code reader » Wed Apr 14, 2010 7:38 pm

naderman wrote:It definately is a lot simpler from an end users perspective. On the other hand what Andreas suggested gives you a lot more power, not sure what the best choice in this case would be. It might be useful to be able to see what autologin cookies are still in the system.
in my book when you can achieve 90% of the functionality with 5 lines of code vs. 100% with 200 (and a new file, i would guess - html for the form) there is no contest.
even if the code already exists in a MOD, this fact is immaterial - when you consider the cost of additional code, writing it is less than 10%.

peace.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC] Ability to delete auto login keys

Post by bantu » Fri Jun 11, 2010 10:48 am


poppertom69
Registered User
Posts: 8
Joined: Mon Jan 07, 2008 12:32 pm

Re: [RFC] Ability to delete auto login keys

Post by poppertom69 » Mon Jun 14, 2010 9:28 am

This is a good idea. I think you should highlight in some way the key currently in-use so the user knows which key they are using at that moment. This would be useful so they don't delete the session they are using currently.

Post Reply