Found that there is nothing removing sessions from us_user_sessions when you enable session management/recording.
I made a modification to users/logout.php to correct the issue in my instance, just FYI
Nice! @brandin might have a thought on that, but care to share your code?
Also, when you edit the "core" user files like that, it makes it hard to deal with updates because our updates will overwrite the modifications you make.
There are 2 files in usersc/scripts called just_before_logout.php and just_after_logout.php that let you add these types of modifications without editing a userspice file.
If there are other changes you made and want help with that, let us know!
We don't want sessions ever removed from this table. We always want to track this. I suppose on logout we may want to remove it from the table, but this would be the only instance. Removing it in the middle of a session would force a user out. That is what happens when you use the "Kill All Sessions" from the admin_manage_sessions page.
There is also a bug in the code that will cause random timeouts, if you want the fix for this let me know.
Brandin.
I suppose on logout we can mark the sessions ended which would be done in the column UserSessionEnded and EndedTime I believe (I'm not looking at the table right now.) There also should be a function that performs this, you would be able to use this function in your logout script from the manage_sessions or admin_manage_sessions page.
Just remember that even companies like Facebook and Twitter don't remove old sessions until they are officially destroyed (user actually pressed logout or was forced out remotely) and that is what we are trying to accomplish.
Thank you,
Brandin.
Yes, see the code I posted... I found and used the function killSessions
And yeah I understand... there has to be something on explicit logout that marks them completed though. Otherwise the users 'active' sessions just keep piling up.
Even on explicit logout-it may not be something you want to do. These Session Management tools are a good way to spot unauthorized access to your account. Especially if you use US for a project that requires a bit more security oversight. If you hide these on explicit logout, someone could login to an account unauthorized, and as long as they logout the chances of anyone noticing while reviewing the page would be slim.
Brandin.
Okay I guess I just don't understand then when they get mark completed/ended if not on explicit logout. If every session ever created stays active until I as admin go to the dashboard and manually end them, I am not seeing the value in the feature. And for my users looking at their sessions it will be confusing why they have so many active sessions despite having logged out (it was for me). I mean they are not actually active sessions... once explicitly logged out there will no longer be any use of/reference to that session.
I can view completed ones same as active ones, so I wouldn't say they are hidden. And if every session stays active without manually intervention.. I wont notice anything odd either.... and really would have to turn the feature off.
Thanks for your time today
I guess you just need to consider what the feature was built for-tracking and intervention of sessions. I can go into Facebook right now and look at a portion of the security titled "Where You Are logged In" and I can guarantee at least 40/50 are no longer actually logged in (app uninstalled, new phone, closed browser, private browsing) so many reasons. In this case, Facebook removes ones that you logout from, but it never removes it because the session expired or anything like that. It only removes it on one of these two cases:
-You explicitly logout
-You end all sessions
The only one we are lacking is the former which you have developed a solution for. I am just trying to instill in you the reasoning behind this feature and what you should use it for from our perspective, and that this information can be valuable.
