Forum OpenACS Q&A: Invalidate all session and login cookies

Request notifications

Posted by Michael Aram on
Dear all,

is there a way to set the server in a state so that it does not accept any of the authentication cookies (e.g. ad_user_login, ad_session_id) it has sent before and force their deletion / re-issuance on the next request?

Posted by Gustaf Neumann on
There is no built-in mechanism for this. However, in the sec_handler in the security-procs of acs-tcl you can find the code to force the expiration of the session cookie (ad_session_id) and to force login handler. The session id cookie contains as 4th value the issue time, that you can use for checking.
Posted by Brian Fenton on
Hi Michael

I think it's as simple as doing this in the database:

update users set auth_token = 'whatever'


Posted by Michael Aram on

Thank you both for your answers.

Brian, your appealing approach does not work, unfortunately, at least not in our case.

Now, we would add the following snippet to acs-tcl/security-procs.tcl at line 130:

       # essentially "now" now plus kernel parameter session_renew_time
       set hardcoded_constant_timestamp 123456789
       if {$session_last_renew_time < $hardcoded_constant_timestamp} {

Any final comments? :-)

Posted by Michael Aram on
...the addition of session_renew_time was an error in reasoning...
Posted by Antonio Pisano on
As we are discussing about a similar feature, I investigated about why sec_change_user_auth_token seems to be uneffective. Commit

should fix the issue, but please feel free to review the change, as Lars's comment states the possibility of side effects.

All the best