CodeIgniter Forums

Full Version: Admin password/email changed and he still logged in and carried operations
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hello,
A  system developed with  Codeigniter is It is giving us admin log issues.

When Admin  password is changed  in DB, the  Admins is still logged in and carry operations
When  the admin  email is changed in DB , the same admin is still logged on and carry operations.
When both email and password is changed  in DB , the still logged on and carried operation.

Please, how can we resolve this?
How can the admin be logged of immediately hiw password or Email is Changed? 

Any suggestion will be help.


Thank you in advance.
So the problem is that once session is created, it on it's own does not know that it should log user out.

I might be wrong, but I assume searching for sessions connected to specific users is also going to be more work than it's worth, depending on you site usage and which storage engine you use, potentially even impossible.

You could create table for forced re-logins, so if user password or email is changed, it adds record with user ID in that table.

For every logged in admin request, you check if current session user ID is present, if so, log user out, remove record.

It adds 1 additional check for every single request, but that's probably only way you can make sure users are logged out the second changes were made.
(12-13-2018, 03:07 AM)Pertti Wrote: [ -> ]So the problem is that once session is created, it on it's own does not know that it should log user out.

I might be wrong, but I assume searching for sessions connected to specific users is also going to be more work than it's worth, depending on you site usage and which storage engine you use, potentially even impossible.

You could create table for forced re-logins, so if user password or email is changed, it adds record with user ID in that table.

For every logged in admin request, you check if current session user ID is present, if so, log user out, remove record.

It adds 1 additional check for every single request, but that's probably only way you can make sure users are logged out the second changes were made.

I think your last option is what worth implementing.  Thank you very much Pertti
Here are few extra advice:
1- Try to use your admin from another browser so that to avoid session clash (being a site user and admin user)

2- If your site has sensitive data, do not allow browser to auto-complete your username and password fields.

3- You can set maximum time for a session to be alive. That way, a session automatically gets expired after for instance 30 minutes of inactivity.

4- Make sure you are passing data like password from one page to another via PHP sessions... After login, set a token and assign it to admin. That way, if you session gets hijacked, you will protect your database.

Good luck

Matt
https://myhsts.org/
https://blockchain.dcwebmakers.com/
https://coding-bootcamps.com/
You should never pass a password through the sessions.