These recommendations are from @jlfranklin:
I think we should start by adding a way to explicitly expire other sessions, with permissions for admins to expire a single user's sessions and for a user to expire their own. if there is a contirb module that already adds a "logout other devices" buttons, we should consider pulling it into core. If not, it's a simple enough thing to write.
I don't think the right thing to do is to simply delete all sessions on password save. There should be some more administrator control over this. As a starting point, I'll propose this:
- Add a setting to the user or system modules (user.expire_sessions_on_password_change or similar), defaulting to TRUE.
- Add code to conditionally expire sessions on password change.
- Add an "Advanced Security" module that exposes the setting with a description detailing the risk.
- The "Logout other devices" button could be added to the Advanced Security module, too.
Recent comments
We can no longer add contrib projects in the Tugboat sandboxes that we use for core PR's? Can this be fixed or is there a reason for this? We can add contrib projects to demo...
Apr 25th Weekly Meetings
The Mail System and MimeMail modules are now installed. I'll let you know if they solve the problem. Edit: Using Mail System with MimeMail I was able to send plain text emails. There is...
HTML Email treated as plain text
If you haven't already I recommend installing Mail System and MimeMail. The latter will help format emails as HTML and first helps with configuring which module will handle the formatting...
HTML Email treated as plain text