These recommendations are from @jlfranklin:
I think we should start by adding a way to explicitly expire other sessions, with permissions for admins to expire a single user's sessions and for a user to expire their own. if there is a contirb module that already adds a "logout other devices" buttons, we should consider pulling it into core. If not, it's a simple enough thing to write.
I don't think the right thing to do is to simply delete all sessions on password save. There should be some more administrator control over this. As a starting point, I'll propose this:
- Add a setting to the user or system modules (user.expire_sessions_on_password_change or similar), defaulting to TRUE.
- Add code to conditionally expire sessions on password change.
- Add an "Advanced Security" module that exposes the setting with a description detailing the risk.
- The "Logout other devices" button could be added to the Advanced Security module, too.
Recent comments
@ian I am getting lost what module are you using that is version 1.x-1.6.0 and 1.x-1.7.0 ?
Cloudflare specific advice needed
I'm also now getting a 403 when trying to access admin/reports/updates - it seems to be Backdrop generated but there is nothing in the Recent Log messages other than my login as admin...
Cloudflare specific advice needed
Since this is still possibly Cloudflare related I'll post here: I'm now experiencing what I think is caching issue - since installing Bee I've run bee cc all, bee cron, bee mm 1, then,...
Cloudflare specific advice needed