[6.0] Split out logoutAllDevices method

[dwightwatson]

This PR resolves the issue described in #29244 where logging out on one device will actually log you out on all devices. This seems like unexpected behaviour to me - most sites wouldn't log you out everywhere like this.

This changes the logout method to not cycle the remember token, and adds another method logoutAllDevices (which sits alongside logoutOtherDevices) so that developers can opt-in to this behaviour if that is what they are after.

In the linked issue Dries suggested adding logoutCurrentDevice instead - I'm happy to make that alternative PR if that's what you guys prefer - but I did want to suggest initially that I think this should be the default behaviour of logout.

[crynobone]

I would prefer to have logoutCurrentDevice() as the new feature, where else logout() should remains the same.

• logout() - de-authenticate users on all devices
• logoutCurrentDevice() - de-authenticate user only on current devices.
• logoutOtherDevices() - reset password and logout user from other devices for security purpose.

[dwightwatson]

Happy to make that change if it's definitely the preference.

Out of curiousity why is it that you want users logged out from all devices by default? When I log out from GitHub or Facebook on one computer it doesn't happen on my other devices, and if it did it would be annoying.

[antonkomarev]

I'd prefer to go with:

• logout() - de-authenticate user only on current device.
• logoutAllDevices() - de-authenticate users on all devices.
• logoutOtherDevices() - reset password and logout user from other devices for security purpose.

But @crynobone concept is very good too. When you call logout you say that you want to destroy this session on all devices. It depends on which side to look at it.

[crynobone]

Out of curiousity why is it that you want users logged out from all devices by default?

It is a structure that Laravel is been build on, Laravel doesn't keep track where all devices are currently logged on from, unliked GitHub or Facebook.

Therefore, it much easier to control remote de-authentication on devices that you no longer want to have authentication. In Laravel we been depending on remember_token to de-authenticate user until logoutOtherDevices() where introduce.

logoutOtherDevices() was ideally introduced to force de-authenticate other devices while confirming current user password in event where the account might potentially been hacked or the password is no longer safe.

I'm against a BC to logout() because developers that upgrade to 6.0 might not realised the impact of what has been changed and exposing them to scenario when logout() used to safeguard them in the past, where else introduction of logoutCurrentDevice() is more explicit.

[dwightwatson]

Perhaps GitHub/Facebook were poor examples for the point I was trying to make then - take a look at any Wordpress, Ruby on Rails or generic other web app that isn't actually tracking individual logins and I believe they won't log you out everywhere.

I don't believe the common web user would expect that logging out from one device would log them out everywhere, and when it does it's a pretty poor user experience.

[driesvints]

I'm also in favor of keeping the current logout behavior and introducing a logoutCurrentDevice method instead.

[taylorotwell]

Has anyone explored the security implications of not rotating the remember me token at all?

[halaei]

I am not sure the current log-out behaviour exactly logs out other devices. It only invalidates the remember-token so they will be eventually logged-out if inactive for 2 hours? It is hard to explain it to users. I don't know what exactly is required to have a real immediate "log-out other devices" feature in Laravel. I think it is already a missing security feature.

My preference is to have these 2 functions:

• logOut(): only de-authenticate user only on current device.
• logoutOtherDevices(): by some mechanism "immediately" log-out other devices without any affect on the current session.

An ideal implementation of logoutOtherDevices() maybe is not that easy because it should work under this scenario:

1. A logged-in user (with a valid remember token) clicks on "Log out other devices" for some security reason.
2. The server receives this request and process it by applying some changes in database, session and cookies. All other sessions get immediately logged out.
3. For some reason the response of server gets lost and never reached the client. So the client misses the new cookies/tokens.
4. The user must still remains logged in after a long period of being inactive.

[taylorotwell]

I don't have any plans to modify this behavior right now.

[florentpoujol]

Hey

Just for the record (and because I had already written something much longer before the PR was closed ^^), as Halaei explained, the main issue with the current behaviour is that people without remember cookie, but a valid regular cookie/session are just not logged-out at all.

I would see two ways to actually achieve that:

• loop over all sessions and actually delete all the ones that are linked to the user (except maybe the current one)
• or put the remember token in the session, and match all 3 (cookie, session, DB) on auth. Cycling the token effectively deprecates all sessions/cookies that have the old one

---

Anyway, we can easily extend the SessionGard as a custom auth driver, to override logout().
Or even just listen for the Logout event actually, the user instance is not yet saved at that point, so we may retrieve the original token, or even refresh it from the DB directly. (I Haven't tested)

Cheers all 😺