21
votes
Tildes login session management?
Does Tildes have any way for me to logout of a device I'm not currently using?
- I don't see any session management or "logout of all devices" in the settings.
- Would resetting my password invalidate all active sessions?
- Do I need to email someone?
Doesn't directly answer your question but Tildes login sessions expire after a year.
Changing password doesn't appear to invalidate sessions.
Thanks for the work you do! I'm not the OP here but I use the awesome Three Cheers app. On the user page/tab there's a Log Out button at the top, given your answer here I suppose this just logs you out of the app but doesn't invalidate the session to the server?
On iOS, logging out in Three Cheers does attempt a server request, and that means the session is invalidated on the server side.
On Android the app behaves differently: it does not do a server-side logout. This is because the account is kept in the system account manager to make it easy to log in and out quickly. I probably did it this way on Android to make it easier on myself when developing and testing the app. Also iOS doesn't have a direct equivalent to Android's account manager API.
A device can log out of its own session (go to the user page and then click "Log out" in the sidebar), but there's no straightforward way to clear all of the sessions related to a specific user. They're stored in Redis and the key is the session ID. It's possible for me to do manually, but would currently involve iterating through every active session and checking which user it's associated with.
Best answer would be provided likely by @Deimos, the site owner, designer and main programmer.
This is maybe not helpful, but based on talklittle's answer in the child comments here it sounds like there is a session invalidation endpoint in the tildes rest api. If you can figure out what that is via docs or reading the code (which I think is open source?) then you should be able to craft a curl command to invalidate a session, if you have an active session open and available to you. If you don't have the session available in a browser tab then you'll have to additionally look for an endpoint to list sessions for your account.
Oh this is a great idea thanks, I'll look into this!