V14: Revoke previous sessions when `AllowConcurrentLogins` is false #15892

elit0451 · 2024-03-15T10:11:33Z

Details

Revokes previously issued tokens of a user when Umbraco::CMS::Security::AllowConcurrentLogins is set to false.

Caution

Breaking: This PR adds a new parameter to the RevokeUserAuthenticationTokensNotificationHandler ctor;

Make sure you are logged out;
Set Umbraco::CMS::Security::AllowConcurrentLogins to false;
Login as a user - verify that you can navigate around;
Open an incognito window;
Login as the same user;
In the first browser, verify that you will see a notification about "Session Expired";
Some changes need to be made on the FE to reflect recent changes on the BE - that's why you are not redirected automatically to the login screen;
Login again and verify that the same "Session Expired" flow happens again;
Set config to true - and verify that you can keep several active sessions at the same time.

…concurrent-logins

elit0451 added 2 commits March 15, 2024 10:43

Revoke previous sessions when AllowConcurrentLogins is false

8f495d7

Merge remote-tracking branch 'origin/v14/dev' into v14/feature/limit-…

aa1f3b3

…concurrent-logins

elit0451 added category/breaking project/bellissima AKA "the new backoffice" labels Mar 15, 2024

bergmania approved these changes Mar 18, 2024

View reviewed changes

bergmania merged commit e9cfcf4 into v14/dev Mar 18, 2024
16 checks passed

bergmania deleted the v14/feature/limit-concurrent-logins branch March 18, 2024 12:18

bergmania added the release/14.0.0 label Apr 10, 2024