-
-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Button to invalidate all existing session #1017
Comments
We don't store sessions so I'm not sure how we'll manage to do this. It's all stateless. |
Just thinking out loud here...
The first two steps seem reasonable, but the third I am not sure about. |
I didn't realize the sessions were stateless, I'll take a look at this and try to come up with some ideas.
Doesn't sound like this actually invalidates the cookie? Which in my mind is the security concern... This actually leaves me with a question - do sessions expire at all? |
@ekzyis if sessions don't expire at all, I think that should be separate security issue fwiw |
It would since any JWT that was created before user hit "invalidate all sessions" will no longer be accepted. So it's effectively invalidated, no?
Default expiration is 30 days but they are regular refreshed while you're logged in and on the site. |
@ekzyis , clearing the session cookie via a Set-Cookie header doesn't invalidate the session, it simply removes it from the browser. See the screenshots, showing the "me" GraphQL query returning my user data while I'm logged in, the sign out request setting the cookie to be empty, and the same GraphQL query returning my user data again even AFTER the sign out request. You'll have to take my word for it that it's the same cookie (obviously don't want to send that in plain view), and take a look at the time stamps. You can also try this on your own by grabbing the cookie from your browser and placing it back in after logging out, or using Burp Suite repeater (which is free, but takes a few minutes to set up if you haven't used it before). Other thing worth noting here is that the refresh request is being sent every second, which means every second a new valid session cookie is being generated and won't expire for 30 days. Personally I would recommend that be sent significantly less often, but these are all low or informational level risks. |
Clearing the cookie via |
This sounds interesting:
-- stackoverflow.com, Invalidating JSON Web Tokens Instead of storing a date and having additional custom logic to check if a JWT was revoked, we could sign JWTs with unique keys per user. For example, we could generate some random data when a user is created and derive a new secret key from this random data + our secret in If we would provide this derived secret here: stacker.news/pages/api/auth/[...nextauth].js Lines 217 to 234 in 255ad29
This "more native solution" could "magically" "just work" then (assuming it's really that easy and there are no pitfalls). Maybe we could leverage overriding jwt: {
async encode(params: {
token: JWT
secret: string
maxAge: number
}): Promise<string> {
// return a custom encoded JWT string
return "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
},
async decode(params: {
token: string
secret: string
}): Promise<JWT | null> {
// return a `JWT` object, or `null` if decoding failed
return {}
},
} |
Yeah I think this is the simplest solution, and it sounds way easier than keeping a database of session tokens. This also gives you the option of resetting the key automatically every X days, so that a user can't refresh their session indefinitely. Can't see any meaningful risks with that idea as long as the user keys are generated via a CSPRNG and aren't exposed to the user. |
Would you need to override encode/decode if all you're doing is providing a different secret? |
You are right, we don't afaict. No longer know what I was thinking in my previous comment lol |
Is your feature request related to a problem? Please describe.
We don't have a button to invalidate all existing sessions.
Describe the solution you'd like
Button to invalidate all existing sessions. Could be in the settings.
Github for reference:
Describe alternatives you've considered
n/a
Additional context
https://stacker.news/items/493900
Since we don't want to store any IPs or other identifiable information along session (like user agent), I don't think we can show geolocation data etc. alongside a session.
But as a MVP, a simple button that kills all sessions is imo enough anyway (every except the current one?). No need to show and kill active individual session.
Sats should go to @frstdrgn
The text was updated successfully, but these errors were encountered: