Forum OpenACS Q&A: Invalidate all session and login cookies

Collapse
1: Invalidate all session and login cookies
Posted by Michael Aram on 04/18/18 05:45 PM
Dear all,

is there a way to set the server in a state so that it does not accept any of the authentication cookies (e.g. ad_user_login, ad_session_id) it has sent before and force their deletion / re-issuance on the next request?

Collapse
2: Re: Invalidate all session and login cookies (response to 1)
Posted by Gustaf Neumann on 04/18/18 08:32 PM
There is no built-in mechanism for this. However, in the sec_handler in the security-procs of acs-tcl you can find the code to force the expiration of the session cookie (ad_session_id) and to force login handler. The session id cookie contains as 4th value the issue time, that you can use for checking.
Collapse
3: Re: Invalidate all session and login cookies (response to 1)
Posted by Brian Fenton on 04/19/18 10:53 AM
Hi Michael

I think it's as simple as doing this in the database:

update users set auth_token = 'whatever'

Brian

Collapse
4: Re: Invalidate all session and login cookies (response to 1)
Posted by Michael Aram on 04/19/18 02:20 PM

Thank you both for your answers.

Brian, your appealing approach does not work, unfortunately, at least not in our case.

Now, we would add the following snippet to acs-tcl/security-procs.tcl at line 130:

http://cvs.openacs.org/browse/OpenACS/openacs-4/packages/acs-tcl/tcl/security-procs.tcl?u=3&r=1.90#to130

       # essentially "now" now plus kernel parameter session_renew_time
       set hardcoded_constant_timestamp 123456789
       if {$session_last_renew_time < $hardcoded_constant_timestamp} {
           ad_user_logout
           sec_login_handler
           return
       }

Any final comments? 😊

Collapse
5: Re: Invalidate all session and login cookies (response to 1)
Posted by Michael Aram on 04/19/18 06:08 PM
...the addition of session_renew_time was an error in reasoning...
Collapse
6: Re: Invalidate all session and login cookies (response to 1)
Posted by Antonio Pisano on 06/08/18 03:43 PM
As we are discussing about a similar feature, I investigated about why sec_change_user_auth_token seems to be uneffective. Commit

http://cvs.openacs.org/changelog/OpenACS?cs=MAIN%3Aantoniop%3A20180608133913

should fix the issue, but please feel free to review the change, as Lars's comment states the possibility of side effects.

All the best