1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 How to log users out?

Discussion in 'Troubleshooting and Problems' started by triforceguy1, Jun 20, 2016.

  1. triforceguy1

    triforceguy1 Member

    Hello,

    Someone decided to be a massive ass and get into some of the user accounts on my forum.
    I've banned them temporarily and going to change their passwords (and change back any details which were changed, but if there a way to log them out from everywhere remotely so that, when they are unbanned, there isn't a chance the perpetrator isn't still logged in?

    Also, while I am at it, how are passwords stored exactly on XenForo? Is it something that could easily be found if someone had the SQL files of the database? Or even though would it require a lot of digging? I only ask so I know more about the security of my members

    Leon

    EDIT- BTW, could this be moved to an appropriate forum, in the rush of panic I put this thread in the wrong one
     
    Last edited: Jun 21, 2016
  2. Steve F

    Steve F Well-Known Member

    You can change the cookie prefix in the config.php file.
     
  3. triforceguy1

    triforceguy1 Member

    I can't seem to fin the cookie prefix in the config.php file (the one in the library directory, correct?)
     
  4. Steve F

    Steve F Well-Known Member

    Cookie prefix defaults to xf_ , change it to something else, but keep it short as well.

    Code:
    $config['cookie']['prefix'] = 'xf_';
     
    triforceguy1 likes this.
  5. triforceguy1

    triforceguy1 Member

    Great, that did the trick, thank you :)
     
  6. Mike

    Mike XenForo Developer Staff Member

    Changing a user's password would terminate all currently active sessions. No need to change the cookie prefix (which will affect everyone).

    If someone has a copy of your database, you need to consider all of the passwords to be compromised. They might not be, but you don't know that. We store them hashed (bcrypt), but that won't do anything if a user uses a particularly weak password.
     
    triforceguy1 likes this.
  7. triforceguy1

    triforceguy1 Member

    Thank you very much, I don't think anyone else has access to the database, but it's always worth thinking about all possibilities
    To be honest, I don't think the guy is even that smart. When he got into an admit account before christmas just changing the Admin ACP path was enough to stop him haha
    I've sent out a security reminder to the active members just with some tips on making a secure password and the Two-Step Authentication, hopefully this will cause him to go back to his previous troll tactics :p
     
  8. Steve F

    Steve F Well-Known Member

    How is this person getting in so easily? Just poor password? What ever members are being targeted you should think about forcing 2FA.

    @Mike I thought he wanted to force a log out on all users, my fault.
     
  9. triforceguy1

    triforceguy1 Member

    I would assume it was a poor password. I can't see how else they could get in. Is there a way to force users to use Two Step Verification?
     
  10. Steve F

    Steve F Well-Known Member

  11. triforceguy1

    triforceguy1 Member

    Steve F likes this.

Share This Page