Hi there,

I've found that if I change the password for any given user while they are connected, they still remain on the system until their session expires or they logout.

The problem is that I found that I needed to change a password while the user was on, so that I could kick them out, but that didn't work. Looking through the session files to delete there session file is a time consuming task that doesn't help solve a security breach that requires immediate action.

Similarly, changing their status to Not Validated doesn't help solve the problem either.

Does anyone have any suggestions on how to kick a user off quickly, without deleting the User entry from the database?

thanks for any thoughts on the matter

klangan

The only solution would be to delete the session for the user.
This could be automatized using a plugin or maybe with a global...

Best regards,
Webmaster33

---

Paid Support from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...

Yeah, that's what I thought. Problem is that's it so difficult to determine what session has been assigned to the user without opening each file and checking for the username.

Oh well, hope GT gives this some consideration. Perhaps writing the session to the User file when the log in so they can be identified if need be.

thanks for the feedback.

peace.

klangan

A small perl script can be used to do this. If you are interested I can write it.

You could just do the following:

boot.cgi?user=bob

And it will remove their session.

Let me know if you are interested.

Thanks Paul,

That's a good idea. I can write the script, but thanks for the offer.

Ultimately though, I feel that GT should take on this responsibility as it is part of system security.

Just my 2-bits, anyone else?

peace.

klangan

I was bored so here it is anyway :)

Just shove it in your admin directory.

Nice thing from you. Just a suggestion about the name: wouldn't be better to name it kick.cgi?
Not that it really matters, just it may be more descriptive, IMO.

Best regards,
Webmaster33

---

Paid Support from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...

If the name causes you to lose sleep feel free to name it how you please.

Hi Paul,

Thanks for that, very considerate of you.

peace.

klangan

Hi Kyle,

You could edit Links.pm, sub init_user, and add:

if ($USER) {
if ($USER->{Status} eq 'Not Validated') {
return;
}
}

right after:

$USER = Links::Authenticate::auth('get_user', { Username => $valid_user, Password => $password, auto_create => 1 });

This should stop any body who is not validated from getting in. I'll look at including this in the next release. I'm not 100% sure what other ramifications are, but I think it should be ok.

Cheers,

Alex
--
Gossamer Threads Inc.

If you use my script, one thing I just noticed is that closedir needs to also go just before the return; otherwise the file handle won't be closed.

Hi Paul,

I noticed that and made a few changes and created a plugin that ties into auth_change_pass.

So Now, whenever the administrator changes a users password, the script looks for the user session and deletes it. The plugin will optionally provide a message as to whether the user was online when the session was deleted. Had a little time too and wanted to create a plugin

I gave you credit you in the plugin in case anyone else wants it.

Let me know if you'd like to see it.

peace.

klangan

Oh, I should warn you, in Links SQL 2.1.2 we moved Sessions into the database, so removing a users session is just:

$DB->table('Sessions')->delete( { session_user_id => 'Foo' });

=). This was required for Community to efficently remove sessions.

Cheers,

Alex
--
Gossamer Threads Inc.

Thanks for letting me know that Alex, I'll incorporate that into the plugin based on the $CFG->{version}

peace.

klangan