ziycon

  • Posts: 126
Session Managment
« on April 18th, 2013, 11:53 AM »
Not sure if it's been talked about but would you consider a session management feature which would allow an admin to kill of user sessions through the interface instead of having to go into the database or where ever the sessions are maintain for the life of the session?

It would allow for more transparency for admins in allowing them to see the session, the associated user, when the session was created, when the user was last seen with that session etc.

It could also allow you to kill a particular session if there is an issue with a  user logging in. It would be useful for some troubleshooting issues I've come across in the past.

Just an idea I would think could be beneficial, no worries if you disagree.
APRAI - Custom Theme - SMF 2.0.5


Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Session Managment
« Reply #1, on April 18th, 2013, 03:38 PM »
Quote
It would allow for more transparency for admins in allowing them to see the session, the associated user, when the session was created, when the user was last seen with that session etc.
Is that a good thing?

There is a host of technical matters around this, including the number of sessions likely to be present in the database, versus the number of sessions that are considered to be online (the number is likely to be different), and remember that every guest also has a session too.

I would also love to know in what scenarios this would actually be useful for debugging.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

ziycon

  • Posts: 126
Re: Session Managment
« Reply #2, on April 18th, 2013, 03:55 PM »
Like i said it was only a suggestion. If you feel it wouldnt be of any benefit thats grand.

I was coming from the point if view were an admin can view all active sessions on a per user basis, not every session at once and allow an admin to kill the session if needed to for whatever reason.

I could have put more detail in, im coming from the way google allows a user to manage theie own sessions and can kill a session were they see activity or a login that wasnt them.

Hope thats a bit clearer.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Session Managment
« Reply #3, on April 18th, 2013, 03:58 PM »
Quote
I was coming from the point if view were an admin can view all active sessions on a per user basis, not every session at once and allow an admin to kill the session if needed to for whatever reason.
Well, users with logging in trouble are likely to have guest sessions, not user sessions - and there's no way to differentiate guests apart.
Quote
im coming from the way google allows a user to manage theie own sessions and can kill a session were they see activity or a login that wasnt them.
That actually seems like a bad idea to me - if a user can manage their own sessions, a user who has broken into an account can effectively lock out the real user - doubly so for an admin account.


The idea is interesting, I'm just not sure how practical it would be in context of what we do and how it all works.

Now, if admin and regular user sessions were *separate* like they are in systems like IPB, that's a whole different ball game entirely.

ziycon

  • Posts: 126
Re: Session Managment
« Reply #4, on April 18th, 2013, 04:08 PM »
I get what you mean about a comprimised account user account, that actually brings to mind the way facebook deal with logins from outside the 'usual' ip range or country where you are challenged with questions to prove its your account.

Possible a mash up of the two could be used to stop an unauthorised user kill vaild sessions.