Delete existing user_keys, if password is changed

administrator/language/en-GB/en-GB.plg_system_remember.ini

@@ -5,3 +5,5 @@
 
 PLG_REMEMBER_XML_DESCRIPTION="Provides remember me functionality. The cookie authentication plugin must be enabled for this plugin to function."
 PLG_SYSTEM_REMEMBER="System - Remember Me"
+PLG_REMEMBER_RESET_DESC="Should the 'remember-me' functionality be reset (recommended), when a user changes his password? This will render any existing login cookies on other devices useless."
+PLG_REMEMBER_RESET_LABEL="reset on password change"

language/en-GB/en-GB.com_users.ini

@@ -87,6 +87,7 @@ COM_USERS_PROFILE_PASSWORD2_DESC="Confirm your password."
 COM_USERS_PROFILE_PASSWORD2_LABEL="Confirm Password"
 COM_USERS_PROFILE_REGISTERED_DATE_LABEL="Registered Date"
 COM_USERS_PROFILE_SAVE_FAILED="Profile could not be saved: %s"
+COM_USERS_PROFILE_SAVE_REMEMBERME_USERINFO="Your password change was successful. For your security, we also deactivated any existing 'remember-me' logins on other devices."
 COM_USERS_PROFILE_SAVE_SUCCESS="Profile saved."
 COM_USERS_PROFILE_TWO_FACTOR_AUTH="Two Factor Authentication"
 COM_USERS_PROFILE_TWOFACTOR_LABEL="Authentication Method"

plugins/system/remember/remember.php

@@ -94,4 +94,73 @@ public function onUserLogout($user, $options)
 
 		return true;
 	}
+
+	/**
+	 * Method is called before user data is stored in the database
+	 * If activated in the configuration of the rememeber-me plugin, this method resets all #__user_keys for the current user
+	 * when the user changes his/her password, leaving any existing remember-me cookies on any devices useless!
+	 * This functionality was sadly inspired by the horrific events around Alice Ruggles death (see https://www.alicerugglestrust.org )
+	 *
+	 * @param   array    $user   Holds the old user data.
+	 * @param   boolean  $isnew  True if a new user is stored.
+	 * @param   array    $data   Holds the new user data.
+	 *
+	 * @return    boolean
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 * @throws    InvalidArgumentException on invalid date.
+	 */
+	public function onUserBeforeSave($user, $isnew, $data)
+	{
+		// Irrelevant on new users
+		if ($isnew)
+		{
+			return true;
+		}
+
+		// Irrelevant, because password was not changed by user
+		if ($data['password_clear'] == '')
+		{
+			return true;
+		}
+
+		// Irrelevant, because "resetting on pw change" is not activated
+		if (!$this->params->get('resetRememberMe')) 
+		{
+			return true;
+		}
+
+		// Get the application if not done by JPlugin. This may happen during upgrades from Joomla 2.5.
+		if (!$this->app)
+		{
+			$this->app = JFactory::getApplication();
+		}
+
+		/*
+		 * But now, we need to do something 
+		 * Delete all tokens for this user!
+		*/
+		$db = JFactory::getDbo();
+		$query = $db->getQuery(true)
+			->delete('#__user_keys')
+			->where($db->quoteName('user_id') . ' = ' . $db->quote($user['username']));
+		try
+		{
+			$db->setQuery($query)->execute();
+		}
+
+		catch (RuntimeException $e)
+		{
+			// Log an alert for the site admin
+			JLog::add(
+				sprintf('Failed to delete cookie token for user %s with the following error: %s', $results[0]->user_id, $e->getMessage()),
+				JLog::WARNING,
+				'security'
+			);
+		}
+
+		$this->app->enqueueMessage(JText::_('COM_USERS_PROFILE_SAVE_REMEMBERME_USERINFO'), 'notice'); 
+		return true;
+	}
+
 }