保護DataHogo
Security Encyclopedia/Auth Best Practices
lowCWE-613A07:2021

No Logout Everywhere

Not providing a 'log out all devices' option leaves sessions active on stolen or forgotten devices indefinitely.

How It Works

Users change passwords after a suspected breach, but if the attacker's session token isn't revoked, they stay logged in. Similarly, a stolen device or a shared computer with a forgotten session stays accessible until the token expires naturally — which could be months.

Vulnerable Code
// BAD: logout only clears the current device's session
async function logout(sessionToken: string) {
  await db.sessions.delete({ token: sessionToken }); // only this session
}
Secure Code
// GOOD: option to revoke all sessions for a user
async function logoutAllDevices(userId: string) {
  await db.sessions.deleteMany({ userId }); // revoke every active session
}
// Trigger this automatically when user changes their password

Real-World Example

Multiple data breaches have been prolonged because victims changed their passwords but didn't invalidate active attacker sessions. WhatsApp and major banks have faced criticism for not providing 'sign out all devices' functionality.

How to Prevent It

  • Provide a 'log out all devices' button in account settings
  • Automatically revoke all sessions when a password is changed
  • Show users a list of active sessions with device type, location, and last active time
  • Set a maximum session lifetime (e.g., 30 days) so old sessions expire automatically

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Password Policy

medium

Accepting any password — including '123' or 'a' — makes your user accounts trivially vulnerable to credential stuffing and brute force attacks.

CWE-521A07:2021

No Rate Limit on Login

medium

A login endpoint without rate limiting can be brute-forced thousands of times per second until a valid password is found.

CWE-307A07:2021

No MFA/2FA

low

Without multi-factor authentication, a stolen or guessed password is all it takes to fully compromise an account.

CWE-308A07:2021

No Email Verification

medium

Allowing unverified email accounts lets attackers register with someone else's email address, potentially locking them out or impersonating them.

CWE-358A07:2021