Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add session revocation #257

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

patrick-hofmann
Copy link

Add possibility to revoke sessions to prevent session stealing from cookies for logged out users

@atinux
Copy link
Owner

atinux commented Oct 27, 2024

Thank you @patrick-hofmann

But I believe in order to do this we need to properly think of creating a more generic Session Storage so it can be used instead to track active session instead of storing revoked one.

If I am not mistaken I believe @Barbapapazes is working on something like this.

@Barbapapazes
Copy link
Contributor

Hello 👋,

Indeed, I'm working on something but I can't give an ETA (I'm making progress but it's bigger than expected).

With a cookie store, you can't revoke a session but you don't need to store the session. It's a compromise compared to a database session.

You can't revoke a cookie session because you're using the user's device as a shop and so the shop isn't centralised. For this reason, it is not possible to get all the sessions of the same user.

If the session is on a stolen device, you'll never be able to revoke a session. With a database session, a user can view all active session and delete them (on the server) so the cookie won't be usable.

@patrick-hofmann
Copy link
Author

Hi @atinux and @Barbapapazes

Can I help you with your work in progress solution?

Best regards,
Patrick

@patrick-hofmann
Copy link
Author

Hi @atinux and @Barbapapazes 👋

i've added a PR #265 to provide a server side session and therefore allow revoking sessions by logging out the user. I've used useStorage in order to persist the data since it's less effort also for beginners in contrast to a full database implementation and has less dependencies.

Maybe @Barbapapazes we can merge your progress at some point?

For a complete server side handling of users with different login methods we could think of nuxt-auth-utils being an identity provider itself and federating the login to the different providers. This way sessions of a user with a unique id across providers could be related and managed across devices, but I think this is an even bigger decision/implementation and i'm not sure if this is still the scope of this module or if this should be a separate module (nuxt-auth-idp?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants