[Proposal] Support for multiple remember tokens #971
Comments
ArondeParon
changed the title
|
I’d be curious how often a user is generating tokens on multiple devices anyway. Seems like an edge case you could handle in your own app though, I don’t think it’s something that’ll happen that often to warrant such a change. |
|
I have a work computer, a home computer, and a mobile phone. GitHub remembers me on all three devices. Imagine how annoying it would be if I was forgotten everytime I changed device... This is also supported by BitBucket, Google, Slack, Facebook, and almost everything I use (except Jenkins). It's not a weird feature request at all, and it is just one more database table. |
|
Laravel only cycle the remember token if it is empty
https://github.com/laravel/framework/blob/5.5/src/Illuminate/Auth/SessionGuard.php#L447
However it does reset the remember token if you logout from one of the
device. Which I find should be expected behaviour unless you doing
something similar to Facebook where you can remotely revoke access from
each devices.
That would be a nice feature for 3rd party package IMHO.
…On Fri, Jan 26, 2018, 5:22 PM Simon Svensson ***@***.***> wrote:
I have a work computer, a home computer, and a mobile phone. GitHub
remembers me on all three devices. Imagine how annoying it would be if I
was forgotten everytime I changed device...
This is also supported by BitBucket, Google, Slack, Facebook, and almost
everything I use (except Jenkins). It's not a weird feature request at all,
and it is just one more database table.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#971 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAKjpnD6ceR09jfYG2P0Y_g4LAAOtHYpks5tOZlBgaJpZM4RsiR2>
.
|
I expect this is actually intended behavior because it prevents the cookie from being hijacked after you log out. If the remember token was not be cycled after logging out, an attacker could theoretically still login using your cookie. |
|
Right, so as @crynobone points out, you can login on multiple devices simultaneously as the remember token only changes when the token is empty, which ought to only happen when you log out. Having multiple tokens would allow you to boot a single session without having to boot all of them, though i.e. if your account was compromised. |
|
I'm definitely open to a PR in this area for 5.7 if someone wants to look into it. |
|
One issue I see in current implementation (shared remember token) is that if user logs out on temporary device, then he will get logged out everywhere. Example:
|
|
+1 for this request. It's not 2000 anymore, jumping from one device to another is a standard today. Laravel still works better than many other systems that just log you out once you log in on another device. Laravel forgets all your Remember Me sessions only if you explicitly log out on any device. The reason for this is that the remember token gets changed every time you log out. That's kinda quirky by the way, because even if you never use Remember Me option, your token will still be generated for you whenever you explicitly log out. I'd call it a small security hole. I think remember tokens should definitly go to separate table and make each device independent. Logging you out of all remembered sessions when you log out wherever makes for an illogical behavior. @hubertnnn gave a perfect example. People who regularily use non-trusted devices and will log out explicitly a lot, can forget about Remember Me option, as they will go crazy with being logged out all the time. |
That is exactly correct. If you log out in one of your devices the remember_me token will get refreshed which will affect all remembered devices. Need independent remembering per device feature on Laravel 5.7 |
I think so. But it was not solved. |
|
We created a package for this because we needed the functionality now: https://github.com/barchart/laravel-remember-all Looking for feedback, and then perhaps we can open a pull request to Laravel core. |
|
@tomsisk I went through the code, it looks fine to me. I think you'll get more feedbacks if you open a PR, it'll be more visible. Looking forward to see this feature in Laravel core! |
|
I don't like bumping old threads but I was surprised to find this is an issue in Laravel only after implementing a project recently. With ~100 users I get at least a daily complaint about this, and it makes Progressive Web Apps useless because Laravel breaks the PWA session as soon as the user signs in on a computer. I'd love to see this merged in core, it's a serious issue that I was surprised to see hasn't even been beyond the ideas phase yet. |
|
While I get the idea, being able to log out from all devices at once is also a feature (use cases : someone steals your stuff and you have only one device left, or you forgot to logout from an unsafe place). Maybe we could have a |
|
Sounds good. So that we can set remember_me on multiple devices |
|
This should definitely be integrated into Laravel's core. |
|
I'd love some comments on my PR for this: laravel/framework#30839 |
|
@ArondeParon This can be closed as it exists now (see laravel/docs#5659) |
|
Nice find! Closing issue. |
The current way of storing a "remember me" token in the the
remember_tokencolumn with the user restricts the use of this feature to a single device.Scenario:
A possible solution to this problem is to separate the remember tokens from the
userstable and store them in a separateremember_tokenstable.The text was updated successfully, but these errors were encountered: