New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to log a user out of all sessions #69
Comments
Hi @HartS, Interesting; I can see how the ability to destroy all of a particular user's sessions (given the session id for one of the user's active sessions) could be useful, e.g for logging out everywhere. Currently, the limitations are as you say; a Currently, this session store doesn't include a notion of a userName. If a Some considerations I'm trying to think through:
@HartS what do you think? |
My thoughts on the considerations:
Could userName (and/or userId) be made an optional field? This would avoid any of the above 3 issues I think
Logging out all logged in users is typically done by applications after a user password change. Some examples:
This is why changing a password often results in sessions being destroyed. I think not destroying sessions after a password change is less secure. |
@HartS - thanks for the thoughts.
I think so; I'm going to spend a little time investigating today. The next month could be a bit hectic for me, so if you don't see a PR by the end of the day, feel free to submit one if you'd like to. |
Hi @HartS, I just put together a PR (#70) with support for destroying all sessions for a given user. Any chance you could give this a review, and see if it works for you in practice? One thing I'm particularly curious about is whether it introduces any unanticipated backwards compatibility issues... If you happen to notice anything - I'd love to know about it. Cheers. |
@kleydon This looks great, thank you! I already worked around it as described above (not a problem for our database since there aren't that many users/sessions), but will be happy to review this also.. might take me a week or so |
@HartS - glad to hear you aren't blocked. |
@wSedlacek, @HartS: |
Currently asking the express-session folks if something along these lines might be on their roadmap: |
I should have time to take a look at this today or tomorrow. Will try replacing the current |
@revington wrote:
@HartS - What do you think about something along the lines of this approach? Rather than constraining / making assumptions about what goes in the This could mostly be achieved by back-end code, by: 1) setting the This approach would still require at least one change to |
@ultimate-tester wrote here that:
On reflection, I suspect this is the most future-proof (and computationally inexpensive) way to go. Closing this issue (and its corresponding pr #70) for now. |
I posted #39 a while ago (expecting the Session model to have a reference to the User model)
Recently I've been trying to figure out how to be able to destroy all sessions for a given user. As per the advice in that issue, I did put the userName data on the session, and it's stored in Prisma as a property of the JSON object in the
data
field.However, this can't be queried (except perhaps when using Postgres). So if I wanted to destroy all sessions for a given user (as an admin user), I don't believe there's a way to do this without reading all session records from the database and then filtering in the application.
Is it possible to do this without reading all records with prisma-session-store?
The text was updated successfully, but these errors were encountered: