Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Clearing a vanilla session remotely?

mokemoke New
edited February 2016 in Vanilla 2.0 - 2.8

Is there anyway to clear a Vanilla session remotely? I think I've left a public computer logged in which I don't have easy access to, I figured changing my password would clear the session, but having tested it at home that isn't the case.

I've also tried clearing GDN_Session with no luck.

Thank you

Comments

  • R_JR_J Ex-Fanboy Munich Admin

    I would try deleting the TransientKey in table GDN_User, column Attributes, for this user.

  • moke just to explain there is no such thing as logged in. HTTP is stateless.

    Cookies are a workaround this. There is no session to clear.

    To invalidate all cookies what you need to do is change the cookie salt in conf/config.php

    $Configuration['Garden']['Cookie']['Salt'] = 'insert random chars';

    You need to enter a random string of letter an number around the same length as it is now.

    grep is your friend.

  • btw the session table has nothing to do with authentication. It if for transient user data only.

    Authentication detail are never store therefore could not be exposed this way. It is a system called HMAC, with is able to validate the session without storage.

    grep is your friend.

  • Thank you both! Just managed to fix it by changing the salt value.

  • LincLinc Detroit Admin

    Yes, changing the cookie hash and globally destroying all current logins is the only way to accomplish this. We don't currently make use of the Session table, so there's no session token to destroy.

  • It is a bad idea to store tokens anyway. If tokens were stored, if they get exposed you are screwed.

    grep is your friend.

Sign In or Register to comment.