Use a new column to log users via RememberMe, so we can force user to re-login from the application

[calcosta]

We just had the situation, that a user account had to stay in the database, but had to be deactivated.

So we destroyed the user PHP Session and deactivated the user.
However the remember_me cookie of the users browser authenticated the user and he got a new, valid session and stayed logged in.

It seems thats because the remember_me cookie stores the users ID and authenticates the user if there is one in the database with the ID from the cookie.

Isn't it possible to check wether the user account is active when he is authenticated using the remember_me cookie?

Maybe it is better to use a random hash that is saved in the database and the rememberMe cookie to authenticate the user instead of just the ID? That would also give us the possibility to remotely invalidate the rememberMe cookie.

[steinkel]

• RememberMeAuthenticate is calling $this->_findUser($cookie['id']) so your finder/scope would be in effect, did you add the 'active' condition to the users finder?
• Another way to fix this behaviour would be using the EVENT_AFTER_COOKIE_LOGIN to double check the user should have logged in.

I agree we could improve the cookie storage, using a random hash instead of the user id, allowing you to clear it to force users to re-login. This use case could be useful, for example for requesting acceptance of new terms of service, etc

[calcosta]

Thanks for your solutions.
I solved it using a separate Authorize class that runs before the users plugin:

Configure::write('Auth.authorize', [
    'ForceLogout',
    'CakeDC/Auth.Superuser',
    'CakeDC/Auth.SimpleRbac',
]);

That class checks if a user is active. If not, he is logged out and redirected to the login page.

Using a random hash could also improve security as it prevents a user from faking another users's rememberme cookie if its user-id is known?!

[steinkel]

Security issue is not a problem, as the id is encrypted by the server and even if the user know another user's id, he won't be able to inject the correctly encrypted value.

[calcosta]

Security issue is not a problem, as the id is encrypted by the server and even if the user know another user's id, he won't be able to inject the correctly encrypted value.

Ok, I wasn't sure about how/if the cookie is encrypted. Thanks!

[steinkel]

I'll update this ticket a bit to take note of your suggested feature, thanks!

[calcosta]

To force a re-login (invalidate rememberme cookie and current session) it might also be useful, to store the current PHP session-ID in the database (if file-based session handling is used). This helps to invalidate the PHP session quickly.

[ajibarra]

@steinkel is this still valid? Should we fix it?