Development Discussion Board

[bantu]

I'd like to suggest to introduce an option to delete auto-login keys from the UCP.

What?

• A list of auto login cookie keys the current user has shall be listed somewhere in the UCP.
• The option to delete/revoke any specific key shall be given to the user.

Why?

• It's currently not possible to delete auto login keys used on computers where you accidentally stayed logged in.
• Logout does only delete the key being used at the moment of logout (if any).

Implementation Details
We currently (3.0.x) store the following data in the session key table.

• key
• user_id
• last_login

I'd suggest to add

• The last IP this key has been used from
• The last User-Agent this key has been used from

to give some more useful data to the user.

A user interface / ucp module has to be written.

Ticket
http://tracker.phpbb.com/browse/PHPBB3-9647
Pull Request
https://github.com/phpbb/phpbb3/pull/652

[naderman]

Sounds pretty useful, looking forward to a patch!

[code reader]

counter proposal:
instead of listing all the machines someone logged in from (might not even be useful in case someone lives behind a NAT router, such as on a campus), wouldn't it be simpler and more effective to just provide an interface to remove (or replace) the current key?
supposedly (as far as i understand) this will render all the auto-login cookies useless, and will require a new login from each of those machines.

simpler, more elegant and achieve the desired outcome.

peace.

[naderman]

It definately is a lot simpler from an end users perspective. On the other hand what Andreas suggested gives you a lot more power, not sure what the best choice in this case would be. It might be useful to be able to see what autologin cookies are still in the system.

[MichaelC]

I think the suggestions by bantu would be better than yours simply because of the coding side of actually doing it.

[bantu]

instead of listing all the machines someone logged in from (might not even be useful in case someone lives behind a NAT router, such as on a campus), wouldn't it be simpler and more effective to just provide an interface to remove (or replace) the current key?

NAT is not really an issue. If one is not sure which key to remove, he/she just removes all. Most people will be able to differentiate between their campus key and home key based on the IP. It should be possible to lookup all the IPs in RDNS to ease this step up.
Removing the current key doesn't really help, because one can have many keys. You can remove the current key by using Logout.

supposedly (as far as i understand) this will render all the auto-login cookies useless, and will require a new login from each of those machines.

Yes. This is what you want when you accidently selected "Log me in automatically" before logging in, e.g. on a shared computer.

[Nelsaidi]

I'd suggest to add

• The last IP this key has been used from
• The last User-Agent this key has been used from

to give some more useful data to the user.

A user interface / ucp module has to be written.

This would be good, aswell as possible ending sessions? - Can help increase security - You know in Gmail, how you can see the last 5 IP's logged in, their user agents, such a system may be good security wise.

But I like this idea

[code reader]

It definately is a lot simpler from an end users perspective. On the other hand what Andreas suggested gives you a lot more power, not sure what the best choice in this case would be. It might be useful to be able to see what autologin cookies are still in the system.

in my book when you can achieve 90% of the functionality with 5 lines of code vs. 100% with 200 (and a new file, i would guess - html for the form) there is no contest.
even if the code already exists in a MOD, this fact is immaterial - when you consider the cost of additional code, writing it is less than 10%.

peace.

[bantu]

Created tracker ticket: http://tracker.phpbb.com/browse/PHPBB3-9647

[poppertom69]

This is a good idea. I think you should highlight in some way the key currently in-use so the user knows which key they are using at that moment. This would be useful so they don't delete the session they are using currently.