selectively inhibit previous session
Jim Fox
fox at washington.edu
Fri May 22 18:33:18 UTC 2020
> Yes. It's attached to the flow as a configuration setting that means "attach this to every result created by this flow".
>
The methods we've discussed are starting to seem awfully heavyweight for a
condition that occurs maybe once in a couple hundred thousand logins.
Thanks for the discussion though. I've learned quite a bit from it.
My new plan: I can detect in my mfa script 1) if a user is in the
compromised condition (method local to my situation) and 2) if the
Password result used a previous session. From there I can invalidate the
session and basically let the user start over.
I think I could destroy the session with a subflow that just deletes the session
cookie, but that that seems kinda crude. Is there a better way for me to invalidate
the session and then run the user through Password again?
If all else fails I can redirect the user to Logout and tell them to start over.
Thanks,
Jim
More information about the users
mailing list