Require a customer to re-login on all devices after password changing

[AndreiMaz]

Let's imagine that a customer is logged-in on multiple devices (e.g. laptop, a phone, etc). When a password is changed on one of devices, then we should we should require him (her) to re-logic on other devices.

Let's think about how we can implement it. Maybe, some kind of tokens

[Avron108]

Perhaps using the date in which the cookie is created and comparing it to the CreatedOnUtc date from the CustomerPassword table, and if it's older, then the device logs out and requires to re login.

[ilich]

There is no cookie creation date, only the expiration date, if I am not mistaken. You will need to create a custom cookie when the user logs in, but an additional check for each request may cause multiple calls to the database for each request. I tried it before for nopCommerce 4.00, but it caused a performance bottleneck due to many additional queries. I end up using server-sent events.

• Each client subscribes to the SSE endpoint
• When the password is changed, the customer GUID is broadcasted
• If your browser's customer GUID matches the updated customer GUID, we set the cookie to force logout

This solution worked well and didn't add additional load to the server. There might be a need to add an extra encryption layer to hide the customer GUID if the disclosure of this GUID adds an additional security risk

[DmitriyKulagin]

Hi, @ilich Your suggestion sounds interesting, could you share the implementation details via a pull request?

[skoshelev]

Closed #4987