A remember me’d password is still allowing that terminal to log in after the password was changed on a different PC.
Is there any way to null that older, prechange session/cookie/whatever?
It’s potentially malicious. The PC that remains logged in was done so in error and the client no longer has access to it.
Thanks,
Hate to bump threads usually, but this is actually causing an issue for me.
Anyone got any idea on how I disable a session for a PC I have no access to?
Think this is probably one for @meredydd, @daviesian or @shaun
[Update - this is not actually correct. See below]
After a bit of experiementation in a DM, we came up with this workaround:
That clears the session data and forces all remembered users to re-log-in. I tested this by logging in elsewhere, then reloading the app after doing that procedure.
David suggested modifying Anvil so that a user’s session cookie is deleted when their password is changed - definitely worth doing so that this can be sorted out more intuitively in future.
Actually this is a bug in the Anvil Users Service, and the suggested workaround won’t actually work. We’re going to fix this as a matter of urgency so that either changing a password or disabling and re-enabling “Remember Me” will invalidate saved logins.
Thanks for spotting this David!
Please could you let me know when this fix is live? I’ll need to ripple that info down the line.
Thanks,
This feature is now live. Changing a user’s password will invalidate any existing remembered logins they have, and unticking/reticking “Remember Login Between Sessions” will invalidate any existing remembered logins for all your users.
Incidentally, this is now also true of Anvil itself - if you reset your password as a developer, existing logins on all devices/browsers will expire.
Wonderful, thank you.
Just to clarify - at what point will a logged in user be “kicked out” if they were logged in during the password change?
edit I think what I’m asking is - does the session get killed as well? I’m assuming not, and if I’m right would that be a possible update for the future?
Ok, unless you tell me the session gets killed as well (it looks like it doesn’t) I am going to code in a mechanism for a “kill switch”, which will be a table field probably in Users.
That kill switch will be set when the password for a user is changed via the sysadmin panel, and read by every logged in user before performing any server side action. If present, the user will be logged off immediately (and the kill flag deleted).
Don’t know why I didn’t think of this earlier 
That is certainly the correct way to implement that. We can’t unilaterally decide to kill all sessions because login state is just one thing you might want to store in the session.