New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require a customer to re-login on all devices after password changing #4987
Comments
Perhaps using the date in which the cookie is created and comparing it to the CreatedOnUtc date from the CustomerPassword table, and if it's older, then the device logs out and requires to re login. |
There is no cookie creation date, only the expiration date, if I am not mistaken. You will need to create a custom cookie when the user logs in, but an additional check for each request may cause multiple calls to the database for each request. I tried it before for nopCommerce 4.00, but it caused a performance bottleneck due to many additional queries. I end up using server-sent events.
This solution worked well and didn't add additional load to the server. There might be a need to add an extra encryption layer to hide the customer GUID if the disclosure of this GUID adds an additional security risk |
Hi, @ilich |
Closed #4987 |
…ed of re-login after password changing
…etime during checking need of re-login after password changing
Let's imagine that a customer is logged-in on multiple devices (e.g. laptop, a phone, etc). When a password is changed on one of devices, then we should we should require him (her) to re-logic on other devices.
Let's think about how we can implement it. Maybe, some kind of tokens
The text was updated successfully, but these errors were encountered: