Skip to content

Improved session management for security #2060

New issue
New issue
Open
Feature
Open
Improved session management for security#2060
Feature
Labels
Module: UserFor anything related to the User moduleType: Security
@tomudding

Description

@tomudding
tomudding
opened on Nov 29, 2025

What would you like?

This stems from GH-1830, but also the longer desire to fix how we handle sessions. Our current session management approach has several shortcomings that pose risks to both administrators, the board, and members. Given the sensitive data stored on the website, accessible by admins and the board, we need stronger guarantees around session lifecycles, authentication, and revocation.

At this point, I can identify the following issues (and a potential proposal on how to fix them):

  • Lack of MFA enforcement: A lot of data is stored on the website and accessible by admins and the board. To mitigate risks, we want to introduce MFA. Ideally, MFA should be available for all users, but enforced for admins and board members.

  • Long-lived sessions: Currently, sessions are long-lived. To mitigate risks, we reset encryption keys on July 1st each year, forcing all users to log out (ensuring graduates who lost their status are logged out).

    • Suggested solution: automate session expiration.

  • Sessions not invalidated on credential changes: When a member/graduate changes their password or e-mail address, existing sessions remain valid. This undermines the security of credential updates.

    • Suggested solution: automatically invalidate all active sessions upon credential changes.

  • No way to kill stolen sessions: We have seen credentials stolen through infostealers. Currently, there is no easy way to revoke or kill compromised sessions.

    • Suggested solution: provide admin tools to revoke sessions globally or per user.

  • No advanced session view for users: Members/graduates cannot see or manage their active sessions. We want an advanced view of session management, including:

    • Information on the browser/device used.
    • Ability to manually log out certain or all sessions.
    • Similar to cjmellor/browser-sessions (Laravel Jetstream functionality), but implemented for Symfony.

Why is this needed?

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Module: UserFor anything related to the User moduleType: Security

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions