Is there a way to revoke an active session on GitLab? I tried to revoke an active session on the active session settings but there is no button to do it.
This is pending, as a feature request in gitlab-org/gitlab-foss issue 59408 and gitlab-org/gitlab issue 27518
This feature existed before, but was removed due to reasons listed in the linked issue.
It was a security issue about "a way for any logged in user (attacker) to escalate his privileges to gitlab administrator if the real gitlab administrator impersonates attacker's account."
So:
to delete a single session you would need the session_id which is no longer exposed in the UI. As a workaround, you can delete all sessions of the user from Rails console:
ActiveSession.list(user).each{ |session| ActiveSession.destroy(user, session.session_id)}
The Merge Request 17462 is in progress.
Related
We want to keep user logged in or give them the option (like a checkbox) to keep the session up, and prevent expiry.
That is something Shopify does not provide. A customer session will always expire, and that allows Shopify to clean up any inventory they may have set aside in their session, among other things.
If you mean a User of your App, they never login anyway, so what exactly are you speaking of? They get granted authorization via oAuth and JWT tokens, not logging in/logging out.
When I try to log in on git bash it says "heroku: Press any key to open up the browser to login or q to exit:". I am pressing it, but it's stuck here. It wont open browser for login.
Looks like there is an incident with heroku login! Facing the same issue. Cannot login via the dashboard too.
Have you reset your password yet? They just force reset all passwords that hadn't been updated since a recent breech occurred. I was unable to login this morning and found all my sessions had expired. Once I did the password reset I was able to login again as normal.
Details
Salesforce-owned subsidiary Heroku on Thursday acknowledged that the
theft of GitHub integration OAuth tokens further involved unauthorized
access to an internal customer database.
The company, in an updated notification, revealed that a compromised
token was abused to breach the database and "exfiltrate the hashed and
salted passwords for customers' user accounts."
As a consequence, Salesforce said it's resetting all Heroku user
passwords and ensuring that potentially affected credentials are
refreshed. It also emphasized that internal Heroku credentials were
rotated and extra detections have been put in place.
Official: https://status.heroku.com/incidents/2413
Press: https://thehackernews.com/2022/05/heroku-forces-user-password-resets.html
I setup a user role that has (currently) simply all resources.
I setup a user that has this role.
I authenticate with the user credentials (user and password, no store code) in zapier to create a connected magento2 account.
After some time my zap does not work anymore because the connected account cannot access my magento anymore.
I can just hit reconnect in zapier enter the same credentials as above and it works again.
But after some time it again does not work.
Looking at the magento documentation this is because custom and admin accounts expire after 1 or 4 hours.
Reading the documentation I would need an integration to have unlimited access.
But in zapier I cannot enter tokens or anything.
So I really wonder how I would set this up. If it is possible.
Or is just zapiers integration borked?
What is strange though is that this behavior began after upgrading to Magento version 2.1.11.
Other 2.1.x versions before did not have this problem.
David here, from the Zapier Platform team.
That's a known bug on our end. In the meantime, you can override this via Configuration > Services > OAuth > Access Token Expiration
Let's suppose I'd opened two or more user sessions on two or more devices (same user with not admin privileges).
At the current session, if I log out, it means all others sessions will also close? If not, is there a way to do this by an URL request?
something like this:
User call a method, ex: [plone-site]/close-all-sessions-except-this;
Results on: all user sessions, opened on the others devices are closed.
Would be better if this method were native in plone.
gmail has this feature. I think it's an important security and privacy issue.
Not really sure what you are asking, but if you want to automatically logout all authenticated users (not only one user) you can:
Go to ZMI
Enter inside acl_users
Select the session plugin
In the "Invalidate all session identifiers" section click the "Clear secrets" button.
As you can read there:
By clicking the button below you clear all secrets used to validate
sessions. This will immediately log out all users who use session
authentication and require them to log in again.
That's a nice feature request, would you mind opening an issue? AFAIK Plone doesn't include that by default.
When you log out of one session Plone will close all sessions for that browser AND site URL, because the session is stored in a cookie set to site's domain. However Plone won't log you out from other browsers/devices, nor in the edge case you're accessing the site by IP, if that's available.
I try to authorize my application with both params:
https://accounts.google.com/o/oauth2/auth?scope=https://www.google.com/m8/feeds
&response_type=code
&access_type=online
&approval_prompt=force
&redirect_uri=.....
...
First time it requests access to "Manage your contacts", that is OK.
But When I try to authorize the second time, it asks the user to allow "Have offline access" permission, that is not OK.
Cleaning cookies doesn't help. Neither revoking access in account settings. Looks like a Google bug.
Actually, I need just to force user to select account on authorize, not force to ask offline access.
I also tried prompt=select_account instead, but it is not working at all.
Seem that prompt=select_account actually works. It just required several accounts already logged on the same computer.