These recommendations are from @jlfranklin:
I think we should start by adding a way to explicitly expire other sessions, with permissions for admins to expire a single user's sessions and for a user to expire their own. if there is a contirb module that already adds a "logout other devices" buttons, we should consider pulling it into core. If not, it's a simple enough thing to write.
I don't think the right thing to do is to simply delete all sessions on password save. There should be some more administrator control over this. As a starting point, I'll propose this:
- Add a setting to the user or system modules (user.expire_sessions_on_password_change or similar), defaulting to TRUE.
- Add code to conditionally expire sessions on password change.
- Add an "Advanced Security" module that exposes the setting with a description detailing the risk.
- The "Logout other devices" button could be added to the Advanced Security module, too.
GitHub Issue #:
5545
Recent comments
Is there any input filter around or should the TinyMCE Uploader manually be hooked to be processed by the File Hash or Path module(s)? I'm not aware of any input filter - the...
File hashing uploads made through TinyMCE
Hi. Did you run the site updates (i.e. at /core/update.php) after updating the module? That version includes changes to the database that should provide that setting (Show title) with a...
Viewfield error on updating to latest version
Hi Paucku I'm afraid not. Backdrop Live is just that - live, not recorded as this encourages greater engagement from people who do not wish to be recorded. What we sometimes do is if...
Backdrop Live November 2025