Is there any reason why removeByUserId is private in CacheIdContainer?
mhzajac opened this issue · comments
Sometimes it would be convenient to remotely log a user out of an application (for example, revoked access to something, unauthorized entry). There is a removeByUserId
method in CacheIdContainer
that does exactly this, however it isn't exposed anywhere. The only way to use it is to extend CacheIdContainer
to expose the method, or re-implement it elsewhere, which is undesirable, as it could later break if CacheIdContainer
changes for any reason. Is there a reason this method isn't exposed anywhere?
(or IdContainer
for that matter)
I agree that it is convenient to be enable multiple log-in.
If CacheIdContainer#removeByUserId
is public, it can be overrided,
We can implement multiple log-in easily.
However, only its implementation it has a security risk that users can not invalidate other sessions.
So, when we provide multiple log-in, we should provide the way of invalidating session.
It contains showing session list to users,
Since CacheIdContainer is poor for this implementation, we create a new AsyncIdContainer that records remote ip adress, access time and so on into non-volatile datastore instead of cache.
I wasn't really interested in exposing CacheIdContainer#removeByUserId
for the purpose of multiple logins. More so to allow an administrator (let's say) to forcibly destroy a user's session without deleting or modifying the account that's stored elsewhere. I could delete the cache key userId:###
, but that's not as clean as having the IdContainer
handle it.
Ok, I see. I misunderstood your motivation.
It needs a way of kicking other user session.
I consider this problem.