Logout existing sessions after an auth config change #21304
Conversation
Func86
force-pushed
the
session-reset
branch
2 times, most recently
from
f0ccfa3
to
c896268
Compare
Func86
force-pushed
the
session-reset
branch
from
c896268
to
24c7227
Compare
There was a problem hiding this comment.
@Func86
I think the current state of the PR is the wrong approach.
You should invoke logoutAllSessions() in if (hasKey(u"web_ui_username"_s)) and if (hasKey(u"web_ui_password"_s)) in appcontroller.cpp. And in if (const QString username = webUIUsername(); isValidWebUIUsername(username)) & if (const QString password = webUIPassword(); isValidWebUIPassword(password)) in optionsdialog.cpp
And you should not bother to check the previous value, just invoke logoutAllSessions() within the if block.
UPDATE, disregard the above. It should be done in WebUI::configure() instead. This is where the server updates the configuration.
The same as currently. WebUI will have to store the previous username/password values to detect that they have changed. |
I think the following should work:
|
It could do the job.
It also mentions some other settings besides the username and password, changing which should lead to the termination of sessions. How about it? |
Func86
force-pushed
the
session-reset
branch
2 times, most recently
from
33ac9d1
to
12e1112
Compare
Done. |
Func86
changed the title
Func86
force-pushed
the
session-reset
branch
3 times, most recently
from
4050ed9
to
8edda6b
Compare
src/base/preferences.cpp
Outdated
| if (m_credentialsChanged) | ||
| emit webCredentialsChanged(); |
There was a problem hiding this comment.
| if (m_credentialsChanged) | |
| emit webCredentialsChanged(); | |
| if (m_credentialsChanged) | |
| { | |
| emit webCredentialsChanged(); | |
| m_credentialsChanged = false; | |
| } |
There was a problem hiding this comment.
Do you still need the changes in isessionmanager.h after applying the above suggestions?
There was a problem hiding this comment.
Do you still need the changes in isessionmanager.h after applying the above suggestions?
What? The change in isessionmanager.h is for terminating sessions which bypassed authentication when the bypass is disabled or changed to possibly stricter than before.
There was a problem hiding this comment.
The change in isessionmanager.h is for terminating sessions which bypassed authentication when the bypass is disabled or changed to possibly stricter than before.
Why not just remove all sessions unconditionally when the option changed?
There was a problem hiding this comment.
I think it would be surprising for users with authenticated sessions to find they are logged out after changing these options.
By the way, we may want to disallow unauthenticated sessions to change the username/password.
Func86
force-pushed
the
session-reset
branch
from
8edda6b
to
43906ee
Compare
src/base/preferences.cpp
Outdated
| if (m_credentialsChanged) | ||
| emit webCredentialsChanged(); |
There was a problem hiding this comment.
The change in isessionmanager.h is for terminating sessions which bypassed authentication when the bypass is disabled or changed to possibly stricter than before.
Why not just remove all sessions unconditionally when the option changed?
Func86
force-pushed
the
session-reset
branch
2 times, most recently
from
68d3b4c
to
aad811a
Compare
Func86
force-pushed
the
session-reset
branch
2 times, most recently
from
c904cd0
to
1782c3b
Compare
Func86
force-pushed
the
session-reset
branch
from
1782c3b
to
99afe3c
Compare
Closes #18443.