Possible to invalidate session for a specific user (e.g., pwd reset?)

[drmike01 <ms...@gmail.com>]

This isn't a critical item, but I would like to invalidate any sessions that
are still out there when a user successfully resets their password after
having lost it. This seems to make sense, since if they knew it they
wouldn't be logged in, and they should use the new one after the change.
Also, I don't have their Session available because they can't log in to
acquire it.

I hunted around for something like this in the documentation, but couldn't
find any way to get a specific Session based on one of the Session's
attributes (I think that's the right term), only the ID, which I wouldn't
have access to. I could probably find the way Shiro does it during a login,
but I'd rather use a supported method for it.

Thanks!
Mike



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Possible-to-invalidate-session-for-a-specific-user-e-g-pwd-reset-tp7577800.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Possible to invalidate session for a specific user (e.g., pwd reset?)

[Les Hazlewood <lh...@apache.org>]

Hi Mike,

There isn't a way to do this in Shiro's API currently.  The current
expectation is that the session store behind your SessionDAO implementation
can support this natively.  That is, a Session record must be queryable by
one (or more) of the sessions' attributes.

Shiro's default SessionDAO implementations are key/value based and only key
the session by its ID.  If you wanted to query by another property, you
would need to use a data store that supported other indices and then
interact with the store directly to query based on another property.  (e.g.
a RDBMS or NoSQL store that supports multiple indices).

If there are any recommendations to how this should work in Shiro (keeping
in mind that some datastores cannot be queryable), I'm personally very open
to suggestions.

Cheers,


--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk

On Sat, Sep 15, 2012 at 5:10 PM, drmike01 <ms...@gmail.com> wrote:

> This isn't a critical item, but I would like to invalidate any sessions
> that
> are still out there when a user successfully resets their password after
> having lost it. This seems to make sense, since if they knew it they
> wouldn't be logged in, and they should use the new one after the change.
> Also, I don't have their Session available because they can't log in to
> acquire it.
>
> I hunted around for something like this in the documentation, but couldn't
> find any way to get a specific Session based on one of the Session's
> attributes (I think that's the right term), only the ID, which I wouldn't
> have access to. I could probably find the way Shiro does it during a login,
> but I'd rather use a supported method for it.
>
> Thanks!
> Mike
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Possible-to-invalidate-session-for-a-specific-user-e-g-pwd-reset-tp7577800.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>