Item12699: Removing a user should also remove any cgisess files to kill current sessions.

pencil
Priority: Enhancement
Current State: Closed
Released In: 2.0.0
Target Release: major
Applies To: Engine
Component: LoginManager
Branches: trunk
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
I noticed that even after a spamming user was removed from foswiki.org, there was still some activity in the logs. The solution would be to also kill the session file.

This probably ought to be added as a function of Foswiki::LoginManager.

removeUserSession( "userToRemove" )

  • Scan all cgisess files and delete any files with AUTHUSER => matching the passed user

I'm not sure if this should be more generic, removeUserSession( AUTHUSER => "...", SESSION_REMOTE_ADDR => "x.x.x.x" ) remove only sessions that match all supplied attributes? Probably overkill.

Adding it to LoginManager though would make it dependent upon Foswiki 1.2, so we probably need to implement it in the plugin for 1.1.x, and add the feature to LoginManager for 1.2. Extending LoginManager would need a Feature Proposal.

-- GeorgeClark - 17 Dec 2013

I also noticed that some cgisess files appear to be written with Data::Dumper, and others with Storable. I wonder if that changed in some version of CGI::Session.

-- GeorgeClark - 17 Dec 2013

See OneStepUserDeletion and Item12207. This looks like it would be covered on an existing feature request.

-- GeorgeClark - 20 Dec 2013
 
Topic revision: r9 - 05 Jul 2015, GeorgeClark - This page was cached on 26 Jun 2016 - 17:25.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License