/logout should invalidate a player's session

[Twonox]

When we do /logout during the session, the session don't expire. We can do /logout, disconnect then connect to the server without entering our pass.

[sgdc3]

@ljacqu This is related to the Bungeecord messaging refactor (we need to create an iasue for it) and the session refactor

[EbonJaeger]

Id say this is the same issue as #824, and thus related to #582.

[Twonox]

I don't use bungeecord

[sgdc3]

@Twonox Done ;)

[sgdc3]

Whoops found that we already do this

[ljacqu]

Reverted -> code was uglier (let SessionManager worry about session settings, why check if player is authenticated inside the logout process?) and did not fix the issue. You didn't test this.

[sgdc3]

:( you're evil

[sgdc3]

        // Session logic
        if (service.getProperty(PluginSettings.SESSIONS_ENABLED) && (sessionManager.hasSession(name) || database.isLogged(name))) {
            sessionManager.cancelSession(name);

            PlayerAuth auth = database.getAuth(name);
            database.setUnlogged(name);
            playerCache.removePlayer(name);
            if (auth != null && auth.getIp().equals(ip)) {
                service.send(player, MessageKey.SESSION_RECONNECTION);
                plugin.getManagement().performLogin(player, "dontneed", true);
                return;
            } else if (service.getProperty(PluginSettings.SESSIONS_EXPIRE_ON_IP_CHANGE)) {
                service.send(player, MessageKey.SESSION_EXPIRED);
            }
        }
    }

[sgdc3]

L 137 AsyncJoin

[ljacqu]

Ooh bad, good catch on that, and sorry. I expected more logic to be inside SessionManager; I guess the encapsulation story is still open.
Abd next time I implement some feature I will ask you to verify @sgdc3 so you can exercise revenge ;) 😄

[sgdc3]

😈

[ljacqu]

Thank you for reporting this @Twonox. Please verify with build nr. 1219 or above. http://ci.xephi.fr/job/AuthMeReloaded/1219/

[Twonox]

That works thanks :)

[ljacqu]

Thanks for testing!