Reset all login tokens


(Kane York) #1

With the recent Heartbleed vulnerability, I think it would be a good forward-looking feature to be able to reset/clear all user login tokens, and maybe some other breach recovery-oriented operations.

There doesn’t need to be any actual UI for this, just a TUI.

(This post was inspired by Github resetting all login tokens after they upgraded their OpenSSL versions.)

(edit) I think this accomplishes it:

UPDATE users
SET auth_token = NULL
 -- WHERE all rows
;

(Sam Saffron) #2

Sure,

Why not add a “stats” tab to https://sitename/admin/users it can display some statistics about users … how many were online in the last hour, how many total, how many logged in sessions. And provide a big button to “log out all users” available to admins only.

Can you spec this out in greater detail so I can convert to a mini-spec?


(Jeff Atwood) #3

Those stats are already available at the bottom of the admin homepage so it would be kind of a duplicate page…


(Sam Saffron) #4

I am thinking about a more detailed view into users. We have some high level stats on dashboard. But we could go into more details there.

Reset auto tokens definitely does not belong on the dashboard.


(Jeff Atwood) #5

There may also be times for whatever reason that you need to kick everyone off the site, even invalidate all logins. I know we did this about once a year on average at Stack Exchange.


(Felix Freiberger) #6

A mass-logout button would be awesome! Related use cases are here and here.


(Kane York) #7

Reading this again, I take back my position in the OP: there probably does need to be UI for this. Perhaps nearby the backup/recovery section of the admin panel.


(Felix Freiberger) #8

Semantically, I’d look for it in the Users section. But Backup is probably fine, too :slight_smile:

Another related feature would be an option to reset all passwords (in case of a breach).