n/a API addition Need to expand the session API to support invalidating all sessions for a user, and make that an API back-ends need to support in some way. has this already so is it just a case of calling that on password changes?
Because of that requirement for back-ends to support it, this is not something that can readily be added in 8.1.x so must be added to 8.0.x None For drupal 7 there are contrib solutions that work only for SQL session storage: https:// original report was part of the Drupal 8 bug bountyhttps://tracker.bugcrowd.com/submissions/39a728dfa89b4029bbc15499c410b97...https://tracker.bugcrowd.com/submissions/[email protected], @effulgentsia, and I discussed this issue this morning. Need to make sure the user doesn't get logged out due to that though from their current session.
Assume I realize I left myself logged into a shared computer to my Drupal site account. However, the session on the shared computer is NOT invalidated and anyone with access to that machine continues to have access to my Drupal site account.
Add to the session API a method that allows invalidating all sessions based on username or uid.
In a previous article I discussed about methods used for session tracking.
It has fundamental information about what a session is and how to manage it. Just to recap, session is a conversion between a server and a client.
It may or may not provide with more features of luxury but the minimum is guaranteed.