Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require a customer to re-login on all devices after password changing #4987

Closed
AndreiMaz opened this issue Aug 20, 2020 · 4 comments
Closed

Require a customer to re-login on all devices after password changing #4987

AndreiMaz opened this issue Aug 20, 2020 · 4 comments
Assignees
@skoshelev @DmitriyKulagin
Labels
functionality / feature
Milestone
Version 4.60

Comments

@AndreiMaz
Copy link
Member

Let's imagine that a customer is logged-in on multiple devices (e.g. laptop, a phone, etc). When a password is changed on one of devices, then we should we should require him (her) to re-logic on other devices.

Let's think about how we can implement it. Maybe, some kind of tokens
@AndreiMaz AndreiMaz added this to the Version 4.40 milestone Aug 20, 2020
@AndreiMaz AndreiMaz changed the title Required a customer to re-login on all devices after password changing Require a customer to re-login on all devices after password changing Aug 20, 2020
@AndreiMaz AndreiMaz modified the milestones: Version 4.40, Version 4.50 Dec 8, 2020
@RomanovM RomanovM modified the milestones: Version 4.50, Version 4.60 Oct 8, 2021
@AndreiMaz AndreiMaz modified the milestone: Version 4.60 Nov 12, 2021
@Avron108
Copy link

Avron108 commented Jan 17, 2022
edited

Perhaps using the date in which the cookie is created and comparing it to the CreatedOnUtc date from the CustomerPassword table, and if it's older, then the device logs out and requires to re login.

@ilich
Copy link

ilich commented Apr 3, 2022

There is no cookie creation date, only the expiration date, if I am not mistaken. You will need to create a custom cookie when the user logs in, but an additional check for each request may cause multiple calls to the database for each request. I tried it before for nopCommerce 4.00, but it caused a performance bottleneck due to many additional queries. I end up using server-sent events.

  • Each client subscribes to the SSE endpoint
  • When the password is changed, the customer GUID is broadcasted
  • If your browser's customer GUID matches the updated customer GUID, we set the cookie to force logout

This solution worked well and didn't add additional load to the server. There might be a need to add an extra encryption layer to hide the customer GUID if the disclosure of this GUID adds an additional security risk

@DmitriyKulagin
Copy link
Contributor

Hi, @ilich
Your suggestion sounds interesting, could you share the implementation details via a pull request?

skoshelev pushed a commit that referenced this issue Dec 6, 2022
@DmitriyKulagin @skoshelev
#4987 Required a customer to re-login on all devices after password …
40dea45 
…changing
@skoshelev
Copy link
Contributor

Closed #4987

skoshelev added a commit that referenced this issue Apr 12, 2023
@skoshelev
#4987 #6670 Ignore millisecond on compare datetime during checking ne…
1a56c26 
…ed of re-login after password changing
mdy6 pushed a commit to rcsoffices/nopCommerce-origin that referenced this issue Jun 12, 2023
@skoshelev @mdy6
nopSolutions#4987 nopSolutions#6670 Ignore millisecond on compare dat…
1ea9a39 
…etime during checking need of re-login after password changing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skoshelev skoshelev

@DmitriyKulagin DmitriyKulagin

Labels
functionality / feature
Projects
None yet
Milestone
Version 4.60
Development

No branches or pull requests
6 participants
@ilich @AndreiMaz @RomanovM @skoshelev @DmitriyKulagin @Avron108