Remove all sessions of an user

alinrj

Hi!
I have a website that login the user to flarum when he connects to this app, but when the password is changed the user needs to be loged out from flarum on all devices. Is there a way that I can disconnect him from all the platforms where he is connected?

clarkwinkelmann

There is a plan to add a session management UI where sessions can be remotely terminated, which could be coupled with a checkbox during password reset, but this is not implemented at this time.

If you need to do this manually, you can delete the user's tokens in the access_tokens table.

Flarum uses disk-based Symfony sessions for temporary data storage which won't be deleted, but each session file is linked with a token in the database. If the token in the database is deleted or expired, the existing session ID will appear as logged out, and the session data will be cleared by the garbage collector later or when the user logs in again.

alinrj

I need to do this automatic, not manually. Is there a way that I can delete the access_tokens of the user with a reuqest or something? Or what method you think is the best for this?

Wadera

You will need to do DB query to get it done. Like @clarkwinkelmann explain - this is still work in progress function, so no API calls as far as I know (correct me if I'm wrong).

clarkwinkelmann

Actually there's one thing I forgot, there is one feature in Flarum where all sessions are cleared, it's the explicit logout.

If you click the logout button, all your active sessions on all devices are terminated.

If the session expires naturally, other sessions are not terminated.

You might be able to manually trigger this with a javascript call to the logout endpoint. The CSRF token needs to be attached to the request for this to require no interaction from the user.

Once we have a proper session management UI, this behavior will probably be changed because it doesn't actually make much sense to always end all sessions if there's a different button available to do exactly that.