[Update - this is not actually correct. See below]
After a bit of experiementation in a DM, we came up with this workaround:
Uncheck the ‘Remember login between sessions’ box in the Users Service GUI
Save and publish app
Check the box
Save and publish app
That clears the session data and forces all remembered users to re-log-in. I tested this by logging in elsewhere, then reloading the app after doing that procedure.
David suggested modifying Anvil so that a user’s session cookie is deleted when their password is changed - definitely worth doing so that this can be sorted out more intuitively in future.
Actually this is a bug in the Anvil Users Service, and the suggested workaround won’t actually work. We’re going to fix this as a matter of urgency so that either changing a password or disabling and re-enabling “Remember Me” will invalidate saved logins.
This feature is now live. Changing a user’s password will invalidate any existing remembered logins they have, and unticking/reticking “Remember Login Between Sessions” will invalidate any existing remembered logins for all your users.
Incidentally, this is now also true of Anvil itself - if you reset your password as a developer, existing logins on all devices/browsers will expire.
Just to clarify - at what point will a logged in user be “kicked out” if they were logged in during the password change?
edit I think what I’m asking is - does the session get killed as well? I’m assuming not, and if I’m right would that be a possible update for the future?
Ok, unless you tell me the session gets killed as well (it looks like it doesn’t) I am going to code in a mechanism for a “kill switch”, which will be a table field probably in Users.
That kill switch will be set when the password for a user is changed via the sysadmin panel, and read by every logged in user before performing any server side action. If present, the user will be logged off immediately (and the kill flag deleted).
That is certainly the correct way to implement that. We can’t unilaterally decide to kill all sessions because login state is just one thing you might want to store in the session.