You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 30, 2023. It is now read-only.
When the logout action is called in the access controller, the authentication_token is deleted from the database, preventing an attack vector where long-lasting authentication_tokens might be used maliciously if discovered.
However, if the user is logged in on other devices, the authentication_token's stored on those devices are then invalid since any record of them has been deleted. This forces logout on all devices and is a hassle for our users who may be on multiple devices. It is handled by the app currently by forcing a logout and login.
Possible solution could be to associate a separate authentication_token with each UniqueDeviceIdentifier object, and then handle logout on a device-specific level.
On the other hand, this behavior could be considered desirable if a user were to lose a device, etc. and want to logout on al devices. Thus it could be a choice presented to them.
The text was updated successfully, but these errors were encountered:
When the logout action is called in the access controller, the
authentication_token
is deleted from the database, preventing an attack vector where long-lasting authentication_tokens might be used maliciously if discovered.However, if the user is logged in on other devices, the authentication_token's stored on those devices are then invalid since any record of them has been deleted. This forces logout on all devices and is a hassle for our users who may be on multiple devices. It is handled by the app currently by forcing a logout and login.
Possible solution could be to associate a separate
authentication_token
with each UniqueDeviceIdentifier object, and then handle logout on a device-specific level.On the other hand, this behavior could be considered desirable if a user were to lose a device, etc. and want to logout on al devices. Thus it could be a choice presented to them.
The text was updated successfully, but these errors were encountered: