Skip Menu |

This queue is for tickets about the Catalyst-Plugin-Session CPAN distribution.

Report information
The Basics
Id: 64858
Status: new
Priority: 0/
Queue: Catalyst-Plugin-Session

People
Owner: Nobody in particular
Requestors: nigel [...] mcnie.name
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 0.29
Fixed in: (no value)



Subject: Sessions should store user ID on server side
Hi, Storing user IDs alongside sessions allows us to implement global revocation of sessions per user, which should be done when a user changes their password/access credentials or is deleted. For example, if a user is changing their password because they know an attacker knows their password, all the old session tokens should be made invalid, as they were created with a now invalid set of credentials. Alternatively, if an attacker is trying to lock a user out, at least the user being logged out makes the attack a visible one, especially if the app says "you were logged out in this window because you changed your password". And if a user is deleted, naturally all of their sessions should be considered invalid. Of course, implementation of such behaviour isn't up to this plugin, but if it could present APIs to allow it, that would be great. Cheers, Nigel