Implement session tokens for moin2
Some IRC log from #pocoo:
(18:03) < ThomasWal> mitsuhiko: there is no builtin way to revoke a securecookie based session, right?
(18:04) < mitsuhiko> ThomasWaldmann: none besides changing the private key
(18:04) < ThomasWal> yeah, sure, but that is rather global :)
(18:05) < ThomasWal> my use case is: user x thinks someone else might know his credentials and changes his password
(18:06) < ThomasWal> problem: that other person might be logged in and have a session, so other person could change password
again
(18:06) < DasIch_> ThomasWaldmann: this is why you require the current password to change it
(18:07) < ThomasWal> (or just use the session he has as long as it is valid)
(18:07) < ThomasWal> DasIch_: ok, we do that
(18:07) < ThomasWal> still, he has a session
(18:09) < DasIch_> is it even possible to remove cookies?
(18:09) < ThomasWal> i am rather thinking of invalidating
(18:10) < ThomasWal> maybe one could store some random value into the user profile on password change
(18:10) < ThomasWal> that value is also in the cookie
(18:10) < ThomasWal> if it mismatches, cookie is invalid
(18:10) < moraes> ThomasWaldmann, store a token on session
(18:10) < DasIch_> ThomasWaldmann: like a user secret?
(18:10) < moraes> then check it
(18:11) < ThomasWal> moraes: so each time one logs in somewhere, all other sessions get invalid?
(18:11) < moraes> that is what i call a token
(18:12) < ThomasWal> DasIch_: it is not secret
(18:13) < moraes> DasIch_, like a random string
(18:13) < moraes> ThomasWaldmann, yes, this is unfortunate
(18:13) < ThomasWal> might be slightly impractical if user wants to have multiple sessions in parallel
(18:13) < ThomasWal> e.g. for browser testing or for other reasons
(18:14) < moraes> for the simplest implementation, you log in here, logout there
(18:15) < ThomasWal> ok, but the common pattern is that we store some random thing into profile and into cookie and compare it
(18:15) < ThomasWal> if it mismatches, session is invalid
(18:15) < ThomasWal> and we either change that random value on login or on password change
(18:16) < moraes> but it is possible to have multiple valid tokens
(18:16) < moraes> just adds a bit of complexity
(18:16) < moraes> and you add a link "logout on all machines" like gmail has
(18:16) < moraes> which basically deletes the tokens from google servers
(18:17) < ThomasWal> ok, that sounds like a plan :)
(18:17) < moraes> ThomasWaldmann, or set a timer
(18:17) < moraes> login and logout + periodic renewal
(18:19) < moraes> ThomasWaldmann, tipfy auth system has this token stuff, and renewal etc
(18:19) < ThomasWal> periodic remove is doable via cookie lifetimeAdditional thoughts:
- we store user profile as an item
- do not revision the tokens, creates too many revs