Session management

This probably won’t get a lot of votes as it’s not important (or flashy) until it’s important. Seems like this should be a basic level functionality of the tool since keeping your passwords safe and secure is key. If someone hacks in they are “authorized” without anyway to keep them out. Someone just hacked my account, and I only use the master password at this site, so that’s troubling. But thankfully I got a notification of new device, deauthorized sessions and changed password. But that device is still going to be “authorized” with no way for me to remove it – if they hack back in I won’t know.

1 Like

Sorry to hear that your login credentials were compromised. That has to be stressful.

If you deauthorized all sessions, then the device that was used to access your account will also be deauthorized now. So, assuming you have been updating the credentials for your various items stored in Bitwarden, an attacker should not be able to access your updated information.

I would be more worried about how someone learned your master password and how they were able to overcome your 2FA. Any guesses? What type of two-step login are you using?

FL_Guy did not say that he was using 2FA.

You would think once I deauthorized all sessions then all future login’s by devices would be reported. But nope, I’ve now gone back in and logged into Bitwarden on my laptop, desktop and mobile using my new password, but received no emails that a new device had logged in. So assuming that devices remained “authorized” despite sessions being cancelled. I agree, concerning on how they accessed my account, but as I mentioned, this is the only place I use that password. I have malware protection and Windows security running, so your guess would be a good as mine as to how they got the password. Hopefully not a security issue on Bitwarden.

I was not using 2FA, but have it set now. Oddly, it did not require my active sessions to be verified with 2FA. Seems once 2FA was activated it should log out sessions automatically to really activate it.

2 Likes

Hi again, Bob. OK, I understand better now. I use 2FA on my account (glad you are now, too!), and I get an email every time I perform a two-step login, even if I have been using that device previously. I am surprised to hear that you did not receive login notifications even though you deauthorized all sessions. Perhaps it has something to do with not using 2FA? Maybe @tgreer knows?

If I might suggest something, try deauthorizing all sessions again, then perform your two-step login again and see if you get the notification. I suspect it will work now that you have 2FA enabled. If not, try from a private-browser session to see if that works (it definitely should). If that doesn’t work, then something is amiss with your account or your email setup, I would guess.

Thanks for your comments and suggestions David. After I set-up 2FA I deauthorized all sessions. I had to log back in (a good thing) and it also then prompted for the authentication code (still good) and all went well. However, it didn’t send an email that a new device had logged in (that’s not good).

I then tried using incognito mode, logged in, prompted for authentication code and all went well. I did receive an email that a new device had logged in.

So, based on my experience, deauthorizing didn’t deactivate devices. I don’t think it’s a problem with my account as I receive the notice yesterday with an unknown IP address and the login from a incognito session today.

An example of why Bitwarden should display the approved devices as well as allow removal as deauthorization didn’t remove them. Even if deauthorization process does remove devices I think it would still be good practice to be able to see authorized devices just in somehow someone managed to get in undetected.

2 Likes

Agreed. I voted for this request a long time ago, and I hope it is added also!

I believe that this is one of those key features that is missing in Bitwarden. Any news on developments? @tgreer

3 Likes

hi @anon95386638! Thanks for the ping. No ETA on this at the moment, but I appreciate you all keeping the thread active!

2 Likes

I just cast my vote here, I also vote for keeping this thread alive and healthy

And by the way I just went into Preferences/Security of this Bitwarden community forum and what did I find there? Session management (what???)
Yes, apparently this feature is more important to the forum than for the actual service (again what???)

I am mildly baffled, to say at least…

Now come on…

1 Like

To be fair, this forum is powered by Discourse, an open source software solution for forums. The session management feature is thus implemented by Discourse, not Bitwarden. But I understand your confusion :smiley:

1 Like

Fair enough, I should however say that there was never any confusion about this and I am very well aware that Bitwarden did not create the forum themselves. The intention however was to prove my point that even less security oriented platforms utilize said feature.

1 Like

I’ve already searched for this exact feature and didn’t notice anything. Search function is not a reliable way to detect duplicates.

Feature name

  • Allow the users to kill specific sessions without logging out of every single Bitwarden instance.

Feature function

  • Currently killing sessions kills ALL sessions, which is annoying and almost not worth using.
  • I am locked out of a machine I used to use it on, and had to return the machine to my employer. The employer is going to retrieve some files from the machine, so I have to give them my password, but I don’t want them having access to my Bitwarden account, which I kept logged in on the machine (I think).

Related topics + references

  • This feature is available in most other apps that have multiple logins. This is not a new idea in the industry. Implement it to catch up with the industry.
1 Like