Subject: | Sessions should store user ID on server side |
Hi,
Storing user IDs alongside sessions allows us to implement global
revocation of sessions per user, which should be done when a user
changes their password/access credentials or is deleted.
For example, if a user is changing their password because they know an
attacker knows their password, all the old session tokens should be made
invalid, as they were created with a now invalid set of credentials.
Alternatively, if an attacker is trying to lock a user out, at least the
user being logged out makes the attack a visible one, especially if the
app says "you were logged out in this window because you changed your
password".
And if a user is deleted, naturally all of their sessions should be
considered invalid.
Of course, implementation of such behaviour isn't up to this plugin, but
if it could present APIs to allow it, that would be great.
Cheers,
Nigel