how to expire a login cookie on machine a from machine b?

blackhorse

I am talking about general cases using cookie to remember the sign in.

For example, if I am in the public library's computer, I login to this forum and accidently I set up the library's computer (machine a) to remember my login.

So now every body have access to that computer if they visit this forum, they will automatically sign in as me.

Now, I am in home, I can still login (lucky that nobody access my account on this forum changed my password yet), now in front my own computer (computer 😎, how can I expire my login cookie to this forum at library's computer (computer A) from my home computer (computer 😎?

I know I can change my password to achieve that.

But

1) If we are talking about some general fourm, not tech forum like this, the users are not so tech-oriented, they may not figure out this solution.

2) Change the password too many times itself could be another headach people hate to face.

NogDog

All that comes to mind for me right now would be to record the user's IP address in a last-login field of the database's users table. Then whenever a user connects to the site, if their current IP does not match the database IP, then expire their cookie and require them to log in again (and, of course, update the last-login IP address once the log in successfully).

MarkR

You can't expire the cookie, but you can invalidate whatever it contains.

I set a random* value in the cookie on a per-user, per-session basis typically. Any change of the user's credentials (password, lock-out, admin rights etc) will kill the value of this cookie. A subsequent logon assigns a new value which will be different.

If the cookie doesn't match what's in the database, my application clears it and sends them into the logon page (as if they had no cookie at all).

Mark

Not actually random, mostly random, plus some other junk that's not useful to an attacker.

blackhorse

I am thinking using a random created number too.

For example, a client who uses this forum day and night, may want to access this forum from his company's computer and his home computer without log each other machine off every day.

What I think is using a random created number, called it "reset_number", this number will be dropped as cookie too and will be checked too.

This reset_number will not be changed usually. For example Only when the user in home and realize that he might be in the library and dropped a log in cookie on the machine there. He could log in to his control panel from home computer, click the "reset" button (this activity should reqires password typed manually first), then the reset_number will be changed, all the old cookies dropped on all the machines with old reset_number cannot log in any more.