• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.5 How to log users out?

#1
Hello,

Someone decided to be a massive ass and get into some of the user accounts on my forum.
I've banned them temporarily and going to change their passwords (and change back any details which were changed, but if there a way to log them out from everywhere remotely so that, when they are unbanned, there isn't a chance the perpetrator isn't still logged in?

Also, while I am at it, how are passwords stored exactly on XenForo? Is it something that could easily be found if someone had the SQL files of the database? Or even though would it require a lot of digging? I only ask so I know more about the security of my members

Leon

EDIT- BTW, could this be moved to an appropriate forum, in the rush of panic I put this thread in the wrong one
 
Last edited:

Mike

XenForo developer
Staff member
#6
Changing a user's password would terminate all currently active sessions. No need to change the cookie prefix (which will affect everyone).

If someone has a copy of your database, you need to consider all of the passwords to be compromised. They might not be, but you don't know that. We store them hashed (bcrypt), but that won't do anything if a user uses a particularly weak password.
 
#7
Changing a user's password would terminate all currently active sessions. No need to change the cookie prefix (which will affect everyone).

If someone has a copy of your database, you need to consider all of the passwords to be compromised. They might not be, but you don't know that. We store them hashed (bcrypt), but that won't do anything if a user uses a particularly weak password.
Thank you very much, I don't think anyone else has access to the database, but it's always worth thinking about all possibilities
To be honest, I don't think the guy is even that smart. When he got into an admit account before christmas just changing the Admin ACP path was enough to stop him haha
I've sent out a security reminder to the active members just with some tips on making a secure password and the Two-Step Authentication, hopefully this will cause him to go back to his previous troll tactics :p
 

Steve F

Well-known member
#8
How is this person getting in so easily? Just poor password? What ever members are being targeted you should think about forcing 2FA.

@Mike I thought he wanted to force a log out on all users, my fault.
 
#9
How is this person getting in so easily? Just poor password? What ever members are being targeted you should think about forcing 2FA.

@Mike I thought he wanted to force a log out on all users, my fault.
I would assume it was a poor password. I can't see how else they could get in. Is there a way to force users to use Two Step Verification?