XF 1.5 How to log users out?

[triforceguy1]

Hello,

Someone decided to be a massive ass and get into some of the user accounts on my forum.
I've banned them temporarily and going to change their passwords (and change back any details which were changed, but if there a way to log them out from everywhere remotely so that, when they are unbanned, there isn't a chance the perpetrator isn't still logged in?

Also, while I am at it, how are passwords stored exactly on XenForo? Is it something that could easily be found if someone had the SQL files of the database? Or even though would it require a lot of digging? I only ask so I know more about the security of my members

Leon

EDIT- BTW, could this be moved to an appropriate forum, in the rush of panic I put this thread in the wrong one

 

[Steve F]

You can change the cookie prefix in the config.php file.

 

[triforceguy1]

You can change the cookie prefix in the config.php file.

I can't seem to fin the cookie prefix in the config.php file (the one in the library directory, correct?)

 

[Steve F]

Cookie prefix defaults to xf_ , change it to something else, but keep it short as well.

$config['cookie']['prefix'] = 'xf_';

 

[triforceguy1]

Great, that did the trick, thank you

 

[Mike]

Changing a user's password would terminate all currently active sessions. No need to change the cookie prefix (which will affect everyone).

If someone has a copy of your database, you need to consider all of the passwords to be compromised. They might not be, but you don't know that. We store them hashed (bcrypt), but that won't do anything if a user uses a particularly weak password.

 

[triforceguy1]

Changing a user's password would terminate all currently active sessions. No need to change the cookie prefix (which will affect everyone).

If someone has a copy of your database, you need to consider all of the passwords to be compromised. They might not be, but you don't know that. We store them hashed (bcrypt), but that won't do anything if a user uses a particularly weak password.

Thank you very much, I don't think anyone else has access to the database, but it's always worth thinking about all possibilities
To be honest, I don't think the guy is even that smart. When he got into an admit account before christmas just changing the Admin ACP path was enough to stop him haha
I've sent out a security reminder to the active members just with some tips on making a secure password and the Two-Step Authentication, hopefully this will cause him to go back to his previous troll tactics

 

[Steve F]

How is this person getting in so easily? Just poor password? What ever members are being targeted you should think about forcing 2FA.

@Mike I thought he wanted to force a log out on all users, my fault.

 

[triforceguy1]

How is this person getting in so easily? Just poor password? What ever members are being targeted you should think about forcing 2FA.

@Mike I thought he wanted to force a log out on all users, my fault.

I would assume it was a poor password. I can't see how else they could get in. Is there a way to force users to use Two Step Verification?

 

[Steve F]

Yes in the user group permissions. We always require it for staff on our sites.

And this is another layer of security you can add: https://xenforo.com/community/resou...and-the-install-directory-using-htaccess.353/

 

[triforceguy1]

Yes in the user group permissions. We always require it for staff on our sites.

And this is another layer of security you can add: https://xenforo.com/community/resou...and-the-install-directory-using-htaccess.353/

Awesome, thank you very much