Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

How do I log out of all sessions created after changing the user's password&am ...

0
0

I store my session id Redis, my session id is global unique, every time login will generate a new session id, so even same user will still have different session id. So I have no way to destroy the user's session because I have no way to locate it. So how can I design, so as to satisfy my need?

Sessions are a security issue. I suggest using a library/framework to do it. If you hand roll your own solution and you do it wrong, you open your users up to session hijacking , prediction , and/or fixation . Those are bad.

If you're using a session library and it's impossible to do what you want without seriously monkeying around, there's probably a reason.

If you really want to roll your own rather than using a session library, start here .


Viewing all articles
Browse latest Browse all 12749