The fact is that I am trying to implement the admin part of the site so that it can be entered from various devices.

When you first log into the admin by using the login and password, a cookie is set on the device (for 365 days), and its hash is placed in a separate database table. When you enter the same username and password from other devices, cookies are also set on them. All cookies are different for different devices, so the next time you log into the admin part, the script scans the database table with cookie hashes. If a match is found - a session is established - no login / password is required.

It's simple. But what if a third party gets access to the login and password? The attacker will enter them on his device and gain access to the admin panel. Of course, if this is detected, the administrator can immediately change the login and password in the database and delete the table with cookies, but the attacker has a session variable and he can do whatever he wants before the session ends.

What are the ways to solve this problem? On well-known web sites, when the user's authentication data changes, the session immediately ends on other devices.

  • Isn't compromising a password a reason to reset everything you can? Yes, and after changing the password, resetting the session is simply mandatory. - user207618
  • @Other, how to reset the session on all devices where sessions and cookies were established? - Deus
  • Why do this? Clear the table of valid sessions and now any device with a session will simply receive the answer "Session is not valid" and redirect to the login page / insert your own. - user207618
  • First encountered. Is there a table with sessions? With each page refresh, check the session with tabular data? - Deus
  • one
    Something like this: A session key is generated, stored in the database (if you need to store longer), with each request the received key is checked against its presence in the database. Found - then the request was once authenticated and still valid, allowed without a password. If the key in the database (session table) is not present, let it authenticate again. - user207618

1 answer 1

Well, to decide to drop all current user sessions from all devices, obviously, you need to have a session and user connection. In the same table with hashes for different devices, you can store and user_id for each session. As soon as there is a password change for a specific user_id in the hash table, all entries for that user are deleted by his id.

By the same principle, you can implement the button in the admin panel "Disconnect all devices (sessions) except the current \ including the current"

  • Login and password will be in a single copy. Therefore, the button - "disconnect devices" will accurately remove all sessions, except for the only one - the real admin. How to determine - admin for the device or an attacker? I think that the deletion of all sessions should occur with email confirmation. So? - Deus
  • No, and the administrator also let him throw it away, if he has just changed the password, let him re-enter it and continue working. Either another interesting option to watch from which ip came the request to change the password and leave this session only. And on the topic "How to determine if the admin is behind the device or an attacker" is very difficult to answer, even Google sometimes cannot cope with this task. Here it is necessary to conduct total surveillance of the user and determine his standard behavior (at what time he enters, with which ip and mn) and in case of deviation from the norm, use the power of two-factor authentication - Rochfort
  • Now most people have a dynamic ip. I will attach it to email. Yes, you need to reset all sessions, and admin too. - Deus