Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change auth_key when have a new password #206

Open
mingchi21 opened this issue May 4, 2018 · 2 comments
Open

Change auth_key when have a new password #206

mingchi21 opened this issue May 4, 2018 · 2 comments

Comments

@mingchi21
Copy link

I got a problem, if I login on other device with [Remember Me] checked and forget logout.
Then the device can stay login until manual logout.
Even I change the passwd at any other device ,the logged device can access my account still.
The program achieve [Remember Me] by check the cookie with id and auth_key.
I think it should regenerate the auth_key when passwd changed and the code at
models/User.php will be modified like following. So when I change passwoed on one device, the other logged devices will lose it's logged state after close the brower.

/**
     * @inheritdoc
     */
    public function beforeSave($insert)
    {
        ...
        // hash new password if set
        if ($this->newPassword) {
            $this->password = Yii::$app->security->generatePasswordHash($this->newPassword);
            $this->auth_key = Yii::$app->security->generateRandomString();
        }
@amnah
Copy link
Owner

amnah commented May 5, 2018

Hmmm good idea, but unfortunately your solution wouldn't really work. It's a bit more complicated than just changing their auth_key.

https://github.com/yiisoft/yii2/blob/master/framework/web/User.php#L670-L712

From here you can see that it checks the session first. If it fails the session check, then it falls back to the cookie/auth_key check.

So to accomplish what you want, you would need to start storing the user's session somewhere (eg, in the database) and then invalidate all the sessions through that.

@mingchi21
Copy link
Author

mingchi21 commented May 6, 2018 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amnah @mingchi21