Seeing as we let users close individual sessions, and we already list all the active sessions, maybe we should let users with the right permission also close all active sessions (except for their own).

This would be useful for kicking out all logged in users prior to a deployment, for example.

I will upload a patch shortly.

CommentFileSizeAuthor
#2 add_close_all_sessions_link-2749009-2.patch3.12 KBPhil Wolstenholme

Comments

philw_ created an issue. See original summary.

Phil Wolstenholme’s picture

Phil Wolstenholme commented
StatusFileSize
new add_close_all_sessions_link-2749009-2.patch3.12 KB

Adding a patch that:

  • Creates an 'active_session_close_all_sessions_form' permission
  • Adds a 'View all active sessions' link to 'admin/reports/active_sessions/all'
  • Adds a form submit handler that prompts the user for confirmation and then removes all session entries except for the user's own
  • Fixes some typos in user-facing text within the module
Phil Wolstenholme’s picture

Phil Wolstenholme commented
Status: Active » Needs review

Setting this to needs review, but I suspect it would be better if it called _drupal_session_destroy()instead of just clearing out the sessions table in the db.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented

It could also be helpful if an account has been compromised and administrator users need to avoid the attacker reads or changes anything in the account or what the account posted.