Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter Best Practices Admin password/email changed and he still logged in and carried operations
Admin password/email changed and he still logged in and carried operations
  • Offline codingdreams
    Newbie
  • *
  • Posts: 2
    Threads: 1
    Joined: Dec 2018
    Reputation: 0
#1
12-12-2018, 11:59 PM

Hello,
A  system developed with  Codeigniter is It is giving us admin log issues.

When Admin  password is changed  in DB, the  Admins is still logged in and carry operations
When  the admin  email is changed in DB , the same admin is still logged on and carry operations.
When both email and password is changed  in DB , the still logged on and carried operation.

Please, how can we resolve this?
How can the admin be logged of immediately hiw password or Email is Changed? 

Any suggestion will be help.


Thank you in advance.
Reply
  • Offline Pertti
    Senior Member
  • ****
  • Posts: 365
    Threads: 5
    Joined: May 2015
    Reputation: 32
#2
12-13-2018, 03:07 AM

So the problem is that once session is created, it on it's own does not know that it should log user out.

I might be wrong, but I assume searching for sessions connected to specific users is also going to be more work than it's worth, depending on you site usage and which storage engine you use, potentially even impossible.

You could create table for forced re-logins, so if user password or email is changed, it adds record with user ID in that table.

For every logged in admin request, you check if current session user ID is present, if so, log user out, remove record.

It adds 1 additional check for every single request, but that's probably only way you can make sure users are logged out the second changes were made.
Reply
  • Offline codingdreams
    Newbie
  • *
  • Posts: 2
    Threads: 1
    Joined: Dec 2018
    Reputation: 0
#3
12-13-2018, 01:45 PM

(12-13-2018, 03:07 AM)Pertti Wrote: So the problem is that once session is created, it on it's own does not know that it should log user out.

I might be wrong, but I assume searching for sessions connected to specific users is also going to be more work than it's worth, depending on you site usage and which storage engine you use, potentially even impossible.

You could create table for forced re-logins, so if user password or email is changed, it adds record with user ID in that table.

For every logged in admin request, you check if current session user ID is present, if so, log user out, remove record.

It adds 1 additional check for every single request, but that's probably only way you can make sure users are logged out the second changes were made.

I think your last option is what worth implementing.  Thank you very much Pertti
Reply
  • Offline MattZand
    Newbie
  • *
  • Posts: 3
    Threads: 0
    Joined: Sep 2019
    Reputation: 0
#4
10-06-2019, 11:43 AM
(This post was last modified: 10-06-2019, 01:22 PM by MattZand.)

Here are few extra advice:
1- Try to use your admin from another browser so that to avoid session clash (being a site user and admin user)

2- If your site has sensitive data, do not allow browser to auto-complete your username and password fields.

3- You can set maximum time for a session to be alive. That way, a session automatically gets expired after for instance 30 minutes of inactivity.

4- Make sure you are passing data like password from one page to another via PHP sessions... After login, set a token and assign it to admin. That way, if you session gets hijacked, you will protect your database.

Good luck

Matt
https://myhsts.org/
https://blockchain.dcwebmakers.com/
https://coding-bootcamps.com/
Reply
  • Offline InsiteFX
    Super Moderator
  • ******
  • Posts: 6,328
    Threads: 291
    Joined: Oct 2014
    Reputation: 235
#5
10-07-2019, 03:07 AM

You should never pass a password through the sessions.
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply




Theme © iAndrew 2016 - Forum software by © MyBB