From 2b40b23f14f2e23b8bb1a2b09f188d9eceea2d27 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 5 Jan 2023 15:06:48 +0100
Subject: [session] Add checkbox to log out all other sessions on pw change

---
 inc/session.inc.php                                      | 13 +++++++++++++
 modules-available/session/lang/de/template-tags.json     |  1 +
 modules-available/session/lang/en/template-tags.json     |  1 +
 modules-available/session/page.inc.php                   |  3 +++
 modules-available/session/templates/change-password.html |  4 ++++
 5 files changed, 22 insertions(+)

diff --git a/inc/session.inc.php b/inc/session.inc.php
index d83de088..f2cb1848 100644
--- a/inc/session.inc.php
+++ b/inc/session.inc.php
@@ -107,6 +107,19 @@ class Session
 		self::$data = false;
 	}
 
+	/**
+	 * Kill all sessions of currently logged-in user. This can be used as
+	 * a security measure if the user suspects that a session left open on
+	 * another device could be/is being abused.
+	 */
+	public static function deleteAllButCurrent()
+	{
+		if (self::$sid === false)
+			return;
+		Database::exec("DELETE FROM session WHERE sid <> :sid AND userid = :uid",
+			['sid' => self::$sid, 'uid' => self::$userId]);
+	}
+
 	public static function deleteCookie()
 	{
 		Util::clearCookie('sid');
diff --git a/modules-available/session/lang/de/template-tags.json b/modules-available/session/lang/de/template-tags.json
index 491c7cc3..d518e1cb 100644
--- a/modules-available/session/lang/de/template-tags.json
+++ b/modules-available/session/lang/de/template-tags.json
@@ -5,6 +5,7 @@
     "lang_enter": "Anmeldung",
     "lang_expires": "L\u00e4uft bei Inaktivit\u00e4t ab",
     "lang_fixedIpSession": "Sitzung an IP-Adresse binden",
+    "lang_killOtherSessions": "Alle meine anderen Sitzungen ausloggen",
     "lang_lastAddress": "Letzter Zugriff von",
     "lang_login": "Anmelden",
     "lang_newPassword": "Neues Passwort",
diff --git a/modules-available/session/lang/en/template-tags.json b/modules-available/session/lang/en/template-tags.json
index 0bd192f3..e21a1bf9 100644
--- a/modules-available/session/lang/en/template-tags.json
+++ b/modules-available/session/lang/en/template-tags.json
@@ -5,6 +5,7 @@
     "lang_enter": "Enter",
     "lang_expires": "Expires on no activity",
     "lang_fixedIpSession": "Bind session to IP address",
+    "lang_killOtherSessions": "Log out all my other sessions",
     "lang_lastAddress": "Last access from",
     "lang_login": "Login",
     "lang_newPassword": "New password",
diff --git a/modules-available/session/page.inc.php b/modules-available/session/page.inc.php
index 66f672f0..71f24886 100644
--- a/modules-available/session/page.inc.php
+++ b/modules-available/session/page.inc.php
@@ -48,6 +48,9 @@ class Page_Session extends Page
 				Message::addError('adduser.password-mismatch');
 				Util::redirect('?do=session');
 			}
+			if (Request::post('kill-other-sessions', false, 'bool')) {
+				Session::deleteAllButCurrent();
+			}
 			if (User::updatePassword($new)) {
 				Message::addSuccess('password-changed');
 			} else {
diff --git a/modules-available/session/templates/change-password.html b/modules-available/session/templates/change-password.html
index fa8e573f..fa61fd77 100644
--- a/modules-available/session/templates/change-password.html
+++ b/modules-available/session/templates/change-password.html
@@ -5,6 +5,10 @@
 		<input type="password" name="newpass1" class="form-control" placeholder="{{lang_newPassword}}">
 		<input type="password" name="newpass2" class="form-control" placeholder="{{lang_repeatPassword}}">
 	</div>
+	<div class="checkbox">
+		<input type="checkbox" id="kill-other-sessions" name="kill-other-sessions" value="1">
+		<label for="kill-other-sessions">{{lang_killOtherSessions}}</label>
+	</div>
 	<button class="btn btn-lg btn-primary btn-block" type="submit">{{lang_changePassword}}</button>
 	<input type="hidden" name="action" value="changepw">
 	<input type="hidden" name="token" value="{{token}}">
-- 
cgit v1.2.3-55-g7522