Reset all login tokens

With the recent Heartbleed vulnerability, I think it would be a good forward-looking feature to be able to reset/clear all user login tokens, and maybe some other breach recovery-oriented operations.

There doesn’t need to be any actual UI for this, just a TUI.

(This post was inspired by Github resetting all login tokens after they upgraded their OpenSSL versions.)

(edit) I think this accomplishes it:

UPDATE users
SET auth_token = NULL
 -- WHERE all rows
;
8 Likes

Sure,

Why not add a “stats” tab to https://sitename/admin/users it can display some statistics about users … how many were online in the last hour, how many total, how many logged in sessions. And provide a big button to “log out all users” available to admins only.

Can you spec this out in greater detail so I can convert to a mini-spec?

2 Likes

Those stats are already available at the bottom of the admin homepage so it would be kind of a duplicate page…

I am thinking about a more detailed view into users. We have some high level stats on dashboard. But we could go into more details there.

Reset auto tokens definitely does not belong on the dashboard.

2 Likes

There may also be times for whatever reason that you need to kick everyone off the site, even invalidate all logins. I know we did this about once a year on average at Stack Exchange.

2 Likes

A mass-logout button would be awesome! Related use cases are here and here.

3 Likes

Reading this again, I take back my position in the OP: there probably does need to be UI for this. Perhaps nearby the backup/recovery section of the admin panel.

5 Likes

Semantically, I’d look for it in the Users section. But Backup is probably fine, too :slight_smile:

Another related feature would be an option to reset all passwords (in case of a breach).

2 Likes