OpenCart Community

What the issue is?

I have opened same site at different browser. When i change the password in one, then i am still able to keep on browsing and ordering in another browser.

Can we make such that if password is changed then we are logged out from all except the current one.

That is not a fault of OC, and actually is not a fault of the browsers, it's just the way the world is. Kill the cookies and kill the cache; in each browser (they don't all get filed in the same places). Generally, once a particular browser having a particular machine address is logged in, it stays logged in, and often the machine stays logged in. That depends upon whether a cookie here and another cookie there look only at machine addresses. If you want to retest access from one browser on one machine, you must often kill cookies, and cache, and often then the browser, and restart it.

I created a new table in DB to store the session id and customer id upon user login, and then once the password is changed, I clear the all the session with that customer id except the active one. I am working on OC 2.1.0.1,

in catalog/model/account/customer.php

public function editPassword($email, $password) {
$this->event->trigger('pre.customer.edit.password');

$this->db->query("UPDATE " . DB_PREFIX . "customer SET salt = '" . $this->db->escape($salt = token(9)) . "', password = '" . $this->db->escape(sha1($salt . sha1($salt . sha1($password)))) . "' WHERE LOWER(email) = '" . $this->db->escape(utf8_strtolower($email)) . "'");

$this->event->trigger('post.customer.edit.password');

// custom code - force logout other sessions

if ($this->customer->isLogged()) {
$customer_id = $this->session->data['customer_id'];
$current_session_id = $this->session->getId();

$query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer_session WHERE customer_id = '" . $this->db->escape($customer_id) . "'");

$results = $query->rows;

foreach ($results as $result) {
if($result['session_id'] != $current_session_id){
session_id($result['session_id']);
session_start();
session_destroy();
$this->db->query("DELETE FROM `" . DB_PREFIX . "customer_session` WHERE session_id = '" . $this->db->escape($result['session_id']) . "'");
}
}

session_id($current_session_id);
session_start();


}else{
$customer = $this->getCustomerByEmail($this->db->escape(utf8_strtolower($email)));
if($customer){
$customer_id = $customer['customer_id'];
$current_session_id = $this->session->getId();

$query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer_session WHERE customer_id = '" . $this->db->escape($customer_id) . "'");

$results = $query->rows;

foreach ($results as $result) {
session_id($result['session_id']);
session_start();
session_destroy();
$this->db->query("DELETE FROM `" . DB_PREFIX . "customer_session` WHERE session_id = '" . $this->db->escape($result['session_id']) . "'");
}

session_id($current_session_id);
session_start();
session_destroy();

}
}


}

In system/library/customer.php

public function login($email, $password, $override = false) {
if ($override) {
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(utf8_strtolower($email)) . "' AND status = '1'");
} else {
$customer_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "customer WHERE LOWER(email) = '" . $this->db->escape(utf8_strtolower($email)) . "' AND (password = SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1('" . $this->db->escape($password) . "'))))) OR password = '" . $this->db->escape(md5($password)) . "') AND status = '1' AND approved = '1'");
}

if ($customer_query->num_rows) {
if (!$override) {
$this->db->query("INSERT INTO " . DB_PREFIX . "customer_session SET customer_id = '" . $this->db->escape($customer_query->row['customer_id']) . "', session_id = '" . $this->db->escape($this->session->getId()) . "'");
}

$this->session->data['customer_id'] = $customer_query->row['customer_id'];

$this->customer_id = $customer_query->row['customer_id'];
$this->firstname = $customer_query->row['firstname'];
$this->lastname = $customer_query->row['lastname'];
$this->customer_group_id = $customer_query->row['customer_group_id'];
$this->email = $customer_query->row['email'];
$this->telephone = $customer_query->row['telephone'];
$this->fax = $customer_query->row['fax'];
$this->newsletter = $customer_query->row['newsletter'];
$this->address_id = $customer_query->row['address_id'];

$this->db->query("UPDATE " . DB_PREFIX . "customer SET ip = '" . $this->db->escape($this->request->server['REMOTE_ADDR']) . "' WHERE customer_id = '" . (int)$this->customer_id . "'");

return true;
} else {
return false;
}
}

public function logout() {
$current_session_id = $this->session->getId();

unset($this->session->data['customer_id']);

$this->customer_id = '';
$this->firstname = '';
$this->lastname = '';
$this->customer_group_id = '';
$this->email = '';
$this->telephone = '';
$this->fax = '';
$this->newsletter = '';
$this->address_id = '';

$this->db->query("DELETE FROM `" . DB_PREFIX . "customer_session` WHERE session_id = '" . $this->db->escape($current_session_id) . "'");

}