• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Admin password/email changed and he still logged in and carried operations

#1
Hello,
A  system developed with  Codeigniter is It is giving us admin log issues.

When Admin  password is changed  in DB, the  Admins is still logged in and carry operations
When  the admin  email is changed in DB , the same admin is still logged on and carry operations.
When both email and password is changed  in DB , the still logged on and carried operation.

Please, how can we resolve this?
How can the admin be logged of immediately hiw password or Email is Changed? 

Any suggestion will be help.


Thank you in advance.
Reply

#2
So the problem is that once session is created, it on it's own does not know that it should log user out.

I might be wrong, but I assume searching for sessions connected to specific users is also going to be more work than it's worth, depending on you site usage and which storage engine you use, potentially even impossible.

You could create table for forced re-logins, so if user password or email is changed, it adds record with user ID in that table.

For every logged in admin request, you check if current session user ID is present, if so, log user out, remove record.

It adds 1 additional check for every single request, but that's probably only way you can make sure users are logged out the second changes were made.
Reply

#3
(12-13-2018, 04:07 AM)Pertti Wrote: So the problem is that once session is created, it on it's own does not know that it should log user out.

I might be wrong, but I assume searching for sessions connected to specific users is also going to be more work than it's worth, depending on you site usage and which storage engine you use, potentially even impossible.

You could create table for forced re-logins, so if user password or email is changed, it adds record with user ID in that table.

For every logged in admin request, you check if current session user ID is present, if so, log user out, remove record.

It adds 1 additional check for every single request, but that's probably only way you can make sure users are logged out the second changes were made.

I think your last option is what worth implementing.  Thank you very much Pertti
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.