How to invalidate wordpress_logged_in cookie via backchannel logout

We assume that the cookie should no longer allow re-login once wp user session destroy –all has been executed. Is this assumption wrong?

The cookie has nothing to do with re-logging in, the command will destroy their current active sessions, and has nothing to do with future sessions.

A user can create new sessions by logging in, but you can prevent that via your SSID implementation. At that point it is no longer a WordPress question but an OpenID Connect question. If it allows them to log in again a new session will be created, if it does not then no session is created since a successful login is needed to create one.

Is there a way to invalidate this cookie via WP CLI without adding custom code?

Four alternative methods:

  • Edit the user in WP Admin and press the log out everywhere button
  • Fetch the users session manager object via $manager = WP_Session_Tokens::get_instance( get_current_user_id() ); then call destroy_all() on the resulting object.
  • Manually delete the sessions in SQL ( Note that this carries risk as it won’t run hooks, clear caches and object caches, etc )
  • Using CLI you could erase the user meta that stores the sessions, while this is safer than using a raw SQL query, and clears the user meta cache as needed, it won’t run the relevant hooks and still carries some risk that the CLI command you mentioned will handle.

If not, what is the best practice to fully log out users in this scenario?

The deletion of the session via WP CLI or via the code snippet is enough to invalidate the cookie and force the user to log in and create a new session. The existing session and any cookies it supported are ineffective and invalidated as a result of the sessions deletion.

My recommendations:

  • For WP CLI use the wp user session destroy command you’re already using.
  • For PHP code, use the session token manager snippet.

A General Note on Sessions

In user meta is a list of current active/valid sessions, and the cookie refers to this. Erasing these sessions means that the cookies are no longer usable and new ones need to be created. This is how the log out everywhere button on the user profile page works, and no browser visits or cookie erasure is necessary.

https://developer.wordpress.org/reference/functions/wp_destroy_all_sessions/

wp_destroy_all_sessions will erase all sessions for the currently logged in user.

I would also note that this list is of active sessions, once a session is no longer active it is removed, so it can’t be used to find out when a user last logged in. Any system that does can be thwarted by logging out to remove the session from the list.

Also, these are not PHP sessions, those are a separate thing that is not used by WordPress and carry their own consequences and compatibility issues.

We run WordPress with the OpenID Connect Generic Client plug-in to provide SSO using Keycloak.

Note that you should also look into this plugin specifically, only answers for general WordPress can be given here, and this plugin might interfere or change how this system works, although this is unlikely.

Related Posts:

  1. wp-cli Enabling Maintainance Mode
  2. WP-CLI Cannot Connect to Database due to Vagrant
  3. Changing the WP CLI cache folder
  4. WP-CLI Process Killed
  5. wp-cli commands do nothing, return nothing
  6. How do I clone or duplicate a post with the WordPress Command Line Interface WP-CLI?
  7. WP-CLI get all posts from certain post type and taxonomy term
  8. Does wp post delete also delete metadata associated with posts?
  9. WP-CLI :: Cannot installing plugin as www-data
  10. Export list of users with first and lastname in WP-CLI
  11. WP-CLI – Return posts with matching meta key
  12. Prompt user for input in WP CLI
  13. WP-CLI throwing PHP Fatal error: Call to undefined function apply_filters() [closed]
  14. How to log out everywhere else, destroy all sessions “all other devices”?
  15. Revert WordPress default options after a PHPUnit test has run
  16. Can I create multiple pages at once using WP-CLI?
  17. WP-CLI update date and time format
  18. wp-cli create post and media import
  19. What is the difference between the Package Language and the Site Language?
  20. How do I update a nested option?
  21. Wp-cli-ssh global installation problem [closed]
  22. WP-CLI with theme: Uncaught Error: Class ‘WP_CLI’ not found
  23. WPCLI search and replace variants for all tables
  24. Can I create (or update) user password with WP-CLI by hash?
  25. Is there a way to pre-cache plugins with WP-CLI for faster installation?
  26. Allow download_url for lan addresses
  27. How to prevent WP-CLI shell from exiting when an exception occurs?
  28. WP-CLI Get Site ID from its url
  29. WP-CLI alias: connect with ssh proxy
  30. Execute wp-cli command on all sites on server
  31. Ask WP-CLI latest core WordPress version released
  32. How to change a post attribute to homepage using WP CLI?
  33. Unable to install plugins from wp-cli
  34. WP-CLI sudden empty response
  35. Custom Connect to Facebook, problem logging in/logging out
  36. How to get all posts related to a term with WP-CLI?
  37. How to verify a correct wp-cli installation?
  38. How can I add an RSS widget using WP-CLI?
  39. Shortest way to install WP-CLI
  40. Uninstall WP-CLI
  41. Get last published post in WordPress using wp-cli
  42. WP Cli will not execute on Windows
  43. Formatting messed up when piping wp commands
  44. Where do the files of a custom WP CLI Command reside?
  45. wp-cli configuration in php?
  46. How to use wp db export and import together?
  47. How to find what pages/posts contain a particular reusable block?
  48. WP CLI not finding plugin commands
  49. How can I search and replace by post type?
  50. Only the WP CLI command, wp –info, runs under my cPanel account
  51. Error establishing a database connection when running phpunit
  52. Session Experies and Get Logged Out Within Few Minutes
  53. Set Site Icon programmatically (eg. using `wp cli`)
  54. Specify custom php.ini to use with WP-CLI
  55. How to rename default category name and slug using WP CLI?
  56. Resetting internal WordPress state during its cycle
  57. How do I add HTML code to a widget with wp-cli?
  58. Wildcard for wp-cli search-replace
  59. Update BackupBuddy with WP-CLI
  60. Is resetting post data necessary with custom WP_CLI commands?
  61. Get media url (featured image) with wp-cli
  62. Can I use wp-cli to create posts with a custom post types?
  63. Do all WordPress installations include WP CLI by default
  64. WP-CLI plugin install causes PHP fatal error – Using $this when not in object context
  65. WP CLI allowed fields?
  66. WP-CLI unable to recongnise PHP server / environment variables on Ubuntu
  67. WP-CLI media import error
  68. How best to keep my localhost on Http while my Remote production is on Https
  69. Can’t Connect to MySQL Database using WP CLI and MAMP on a macOS Catalina, using Oh My Zsh
  70. Is it possible to view WP documentation within the WordPress shell?
  71. Userless db-only wordpress instalation
  72. WPCLI doesn’t recognize the site
  73. One-click WP site generation wih wp-cli on Windows
  74. Combine WPCLI commands for plugin installation and activation?
  75. Add passwords to config.yml to manage multiple sites
  76. What user should I use for wp-cli on Ubuntu VPS [closed]
  77. WP-CLI mysteriously stopping while downloading the core [closed]
  78. add class to element if user is not logged in [closed]
  79. Working with CLI and missing my namespace classes inside
  80. Mocking WP_CLI static methods in unit tests
  81. How to add an array to a command “wp config set”?
  82. WP CLI: critical error on your website
  83. How to specify which editor is used when editing posts with WP-CLI?
  84. WP changes siteurl, but some URLs then don’t work
  85. Creating a subcommand for custom wp-cli command
  86. Install plugin on remote wordpress
  87. WP-CLI is unable to update password
  88. Make WordPress more like Jekyll (using wp-cli package?)
  89. Find latest/published version of post using wp-cli
  90. Wp-cli from a plugin?
  91. Is it possible to update a single page using WP-CLI?
  92. undefined function apache_request_headers()
  93. ignoring, hidding mu plugins when wp-cli is run
  94. How to install WordPress with Composer?
  95. WordPress CLI isn’t working while use WordPress development repository
  96. Remote Export DB w. WP-cli.phar Over SSH
  97. is it possible to use wp cli to export custom post types
  98. Why doesn’t “wp db cli” enable tab completion?
  99. Warning: Constant WP_DEBUG already defined
  100. Changing boolean value with “wp option patch”
techhipbettruvabetnorabahisbahis forumutaraftarium24edusedusedueduseduseduseduseduseduedu