Invalidate remember me when an active session is revoked

On sign-out Devise invalidates all remember me tokens. GitLab now also invalidates all remember me tokens whenever any given Active Session is revoked manually by a user.

Invalidate remember me when an active session is revoked
On sign-out Devise invalidates all remember me tokens. GitLab now also invalidates all remember me tokens whenever any given Active Session is revoked manually by a user.
5c2b0fa7 · Drew Blessing · Drew Blessing · b3a646b0 · 5c2b0fa7 · 5c2b0fa7
Commit 5c2b0fa7 authored Aug 11, 2020 by Drew Blessing Committed by Drew Blessing Aug 17, 2020
7 changed files
--- a/app/controllers/profiles/active_sessions_controller.rb
+++ b/app/controllers/profiles/active_sessions_controller.rb
@@ -7,6 +7,7 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController

  def destroy
    ActiveSession.destroy_with_public_id(current_user, params[:id])
+    current_user.forget_me!

    respond_to do |format|
      format.html { redirect_to profile_active_sessions_url, status: :found }

--- a/app/views/profiles/active_sessions/_active_session.html.haml
+++ b/app/views/profiles/active_sessions/_active_session.html.haml
@@ -27,6 +27,6 @@

  - unless is_current_session
    .float-right
-      = link_to profile_active_session_path(active_session.public_id), data: { confirm: _('Are you sure? The device will be signed out of GitLab.') }, method: :delete, class: "btn btn-danger gl-ml-3" do
+      = link_to profile_active_session_path(active_session.public_id), data: { confirm: _('Are you sure? The device will be signed out of GitLab and all remember me tokens revoked.') }, method: :delete, class: "btn btn-danger gl-ml-3" do
        %span.sr-only= _('Revoke')
        = _('Revoke')
--- a/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml
+++ b/changelogs/unreleased/security-220-dblessing-revoke-remember-me-on-session-revocation.yml
+---
+title: Invalidate remember me when an active session is revoked
+merge_request:
+author:
+type: security
--- a/doc/user/profile/active_sessions.md
+++ b/doc/user/profile/active_sessions.md
@@ -29,6 +29,11 @@ exceeds 100, the oldest ones are deleted.
 1. Use the previous steps to navigate to **Active Sessions**.
 1. Click on **Revoke** besides a session. The current session cannot be revoked, as this would sign you out of GitLab.

+NOTE: **Note:**
+When any session is revoked all **Remember me** tokens for all
+devices will be revoked. See ['Why do I keep getting signed out?'](index.md#why-do-i-keep-getting-signed-out)
+for more information about the **Remember me** feature.
+
 <!-- ## Troubleshooting

 Include any troubleshooting steps that you can foresee. If you know beforehand what issues

--- a/doc/user/profile/index.md
+++ b/doc/user/profile/index.md
@@ -255,6 +255,12 @@ to get you a new `_gitlab_session` and keep you signed in through browser restar
 After your `remember_user_token` expires and your `_gitlab_session` is cleared/expired,
 you are asked to sign in again to verify your identity for security reasons.

+NOTE: **Note:**
+When any session is signed out, or when a session is revoked
+via [Active Sessions](active_sessions.md), all **Remember me** tokens are revoked.
+While other sessions will remain active, the **Remember me** feature will not restore
+a session if the browser is closed or the existing session expires.
+
 ### Increased sign-in time

 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/20340) in GitLab 13.1.
@@ -264,7 +270,7 @@ The `remember_user_token` lifetime of a cookie can now extend beyond the deadlin
 GitLab uses both session and persistent cookies:

 - Session cookie: Session cookies are normally removed at the end of the browser session when the browser is closed. The `_gitlab_session` cookie has no expiration date.
- Persistent cookie: The `remember_me_token` is a cookie with an expiration date of two weeks. GitLab activates this cookie if you click Remember Me when you sign in.
+- Persistent cookie: The `remember_user_token` is a cookie with an expiration date of two weeks. GitLab activates this cookie if you click Remember Me when you sign in.

 By default, the server sets a time-to-live (TTL) of 1-week on any session that is used.


--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -3268,7 +3268,7 @@ msgstr ""
 msgid "Are you sure? Removing this GPG key does not affect already signed commits."
 msgstr ""

-msgid "Are you sure? The device will be signed out of GitLab."
+msgid "Are you sure? The device will be signed out of GitLab and all remember me tokens revoked."
 msgstr ""

 msgid "Are you sure? This will invalidate your registered applications and U2F devices."

--- a/spec/controllers/profiles/active_sessions_controller_spec.rb
+++ b/spec/controllers/profiles/active_sessions_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Profiles::ActiveSessionsController do
+  describe 'DELETE destroy' do
+    let_it_be(:user) { create(:user) }
+
+    before do
+      sign_in(user)
+    end
+
+    it 'invalidates all remember user tokens' do
+      ActiveSession.set(user, request)
+      session_id = request.session.id.public_id
+      user.remember_me!
+
+      delete :destroy, params: { id: session_id }
+
+      expect(user.reload.remember_created_at).to be_nil
+    end
+  end
+end