How to log a user out of the forum on all devices?

Unknown
Unknown
in Help

ESL Gaming is wondering if there is away for them to do an API call or something that would allow them to force log out a user from the forum on all devices.

They use SSO.

Comments

  • Unknown
    Unknown

    I know with Vanilla's primary authentication method this is not possible. See this issue @Linc made a few months ago:

    https://github.com/vanilla/vanilla/issues/6785

    Therefore there is not a way to invalidate a particular user's login. This would be advantageous for more secure management of user logins. However, it requires a good deal of work on our authentication system.

  • Unknown
    Unknown

    TL;DR; Nope.

    They could ban it and have a similar effect though.

    https://docs.vanillaforums.com/help/apiv2/swagger/#/Users/put_users__id__ban

  • Unknown
    Unknown

    I explained this to the client:

    As it turns out at the moment we currently don't fully implement session-based authentication. We issue a cookie with certain limitations, but that cookie is then valid until:

       1.   The time limit elapses.

       2.   The user's info changes.

       3.   The global cookie salt changes, invalidating ALL site cookies.

    And the client came back with:

    >Point 2 is interesting, what user info can we change to cause all of the users cookies to become invalid?

    >That maybe combined with revoking the oauth access token may be sufficient?


    Thoughts?

  • Vanilla Forums
    Vanilla Forums

      2.   The user's info changes.

    I have no idea what I meant by that in the issue. As far as I know, the only user info that effects the cookie is UserID, so there's nothing they can change.

Categories