[#14451] Remote logout on all devices
Summary Remote logout on all devices
Queue IMP
Queue Version Git master
Type Enhancement
State Feedback
Priority 1. Low
Requester jo@jolanders.com
Created 2016-08-23 (1882 days ago)
Updated 2016-08-31 (1874 days ago)
Patch No

jo@jolanders.com 2016-08-23 22:31:39
Would love the ability to force logout or do a remote logout on all 
devices when a user has forgotten to log out of horde (for example, on 
a "public" computer or a computer at a remote or client location. 
Currently using a work-around by changing the user password, but 
something like gmail or facebook's "log me out on all devices" would 
be a wonderful option; currently this is a huge security issue for my 
business; we provide bookkeeping services off or on-site at client 
locations. When on-site at a client location,w e are using their 
computer and software, which means logging in on their device. If 
someone forgets to logout before they leave, Horde doesn't time them 
out and may still be running days later, with full access to that 
person's email.

Jan Schneider <jan@horde.org> 2016-08-31 13:39:05
This could be done in at least two possible ways:
1) Using the session handling in PHP. We would need to find and delete 
all of the user's sessions, which may or may not work, depending on 
the session handler backend.
2) Setting some flag that's checked on each request and that logs the 
user out when set. This would add additional overhead to each request 
and the question is, where to store this flag. Prefs are ruled out 
because they are cached in the session.