320726 - Allow users to disconnect other concurrent sessions

Status: ASSIGNED

(Bugzilla :: User Accounts, enhancement)

Description

[Frédéric Buclin]

Assuming you logged in from computerA, then went away forgetting to log out and you are now logged in from computerB. What you would probably like to do is to be able to disconnect your session running from computerA (without having to change your password from userprefs.cgi).

This would also be useful if you realize you have a currently running session from the other part of the world (e.g. due to a stolen password). In this case, you would probably want to disconnect him too (and change your password!).


(18:11:39) joel: I had a hack to do this where, if I start from the home page and log in, I get sent back to the home page after I do log in.
(18:11:39) LpSolit: "Welcome Joel, you last login was 2 hours 13 minutes ago from China"
(18:11:47) joel: and then I displayed it on that page.
(18:12:04) joel: It would show the most recent 5 sessions on the homepage.
(18:12:48) joel: You could then make it show them with the status of ACTIVE/INACTIVE next to them and, by clicking on a session, permit it to be deactivated.
(18:13:57) LpSolit: but if someone has you password, he could do the same with your session :-/
(18:14:13) LpSolit: unless this requires another password, different from the login one
(18:14:25) LpSolit: which would probably be a good idea

Comment 1

[Max Kanat-Alexander]

This could be a good idea. Just another checkbox on the login form.

There's no reason this should require another password.

Comment 2

[Frédéric Buclin]

Attachment: patch, v1

I only tested my patch with DB/CGI.

Comment 3

[Olav Vitters]

Comment on attachment 295220 [details] [diff] [review]
patch, v1

>Index: index.cgi

>+# Checks whether the user is logged in from several places.

Should this really be on the index.cgi page? Ok, it is more secure. However, not sure if we want to (should) add this information to the index page. I think this belongs somewhere else (Accounts / userprefs.cgi).

>Index: template/en/default/global/messages.html.tmpl

>+      [% FOREACH session = sessions %]
>+        <li>
>+          Cookie: [% session.cookie FILTER html %]
>+          <b>IP: [% session.ipaddr FILTER html %]</b>

That is only an IP address is loginnetmask is set to 32. In other cases it is something between the IP address and 0.0.0.0.

Comment 4

[Frédéric Buclin]

(In reply to comment #3)
> Should this really be on the index.cgi page? Ok, it is more secure.

I think that's the best place to display this information. That's the page from where users generally log in. Having it in userprefs.cgi would make it almost invisible (how often do you edit your prefs?).


> That is only an IP address is loginnetmask is set to 32. In other cases it is
> something between the IP address and 0.0.0.0.

Is that a problem? What else would you write?

Comment 5

[Max Kanat-Alexander]

Bugzilla 3.2 is now frozen. Only enhancements blocking 3.2 or specifically approved for 3.2 may be checked in to the 3.2 branch. If you would like to nominate your enhancement for Bugzilla 3.2, set "blocking3.2" tp "?", and either the target milestone will be changed back, or the blocking3.2 flag will be granted, if we will accept this enhancement for Bugzilla 3.2.

Comment 6

[Reed Loden [:reed]]

Attachment: patch - v1

How about this? It needs some clean-up still (mostly in how it displays stuff), but it all works...

Comment 7

[Frédéric Buclin]

I'm not sure userprefs is the best place to display this, for two reasons:
1) It has nothing to do with preferences or user settings;
2) Most of the time, it will be empty, or contain only very few login cookies, which I think doesn't require its own tab.

If we really think that userprefs is the best place, in that case I would prefer to reuse an existing tab, e.g the Account Information one. Opinion?

Comment 8

[Reed Loden [:reed]]

I'm fine with putting it at the bottom of Account Information.

Comment 9

[Frédéric Buclin]

Comment on attachment 498977 [details] [diff] [review]
patch - v1

Yes, let's do that.