Invalidate current sessions

Hello,

I can’t find options for log out existing devices/sessions. I updated my password but i noticed existing sessions (ex: fly CLI) are still working. Is there a way to kill all active session ?

Greetings

Hi… There are three different tokens pages on the dashboard, which it makes it harder to find, but this sounds like the part of the interface you’re looking for:

https://fly.io/user/personal_access_tokens

(That’s what I use in this context, anyway.)

Hello, thank you for your answer. I don’t think there are the web tokens in there. I’m talking about the cookie session token that are generated when you log in to the interface. Not the manually generated ones. Let’s say i logged on multiple browsers, and also on some CLI on multiple computers.
On my main computer i changed my fly.io password, but this didn’t log out the other active sessions on others computers or CLI. Is there a way for the Fly.io support to clear all my active sessions ?
This is a serious issue for us in case of session cookie steal.
Greetings,

Hm… I do see the automatically generated ones (corresponding to logins), in mine…

(“UI (fly.io)”, the first row, is the Web UI / dashboard.)

Pressing the Revoke button on each did kill the corresponding sessions of mine, although it took a few minutes to propagate.

[The other two tokens pages are limited to the manually created ones, like you said.]

Definitely… Fly.io’s way of prioritizing security is one of the reasons I originally got interested in their platform, myself.

Do you suspect that a token or session cookie may in fact have been stolen in the past, or is this just a hypothetical concern, right now?

What URL are you using to see these tokens ?
I can’t access the url you gave in the first reply ( Sign in to Your Account · Fly ), also accessible in the link “access i here”, it redirects me the the home dashboard.

The only URL i can access is : Sign in to Your Account · Fly (screenshot) which only contains manually generated tokens.

So far i can’t find a way to disconnect active sessions.

Yes it is for the case of a cookie steal, we need all our critical services such as infrastructure provider with admin access to have the ability of revoking all active session. In fact we suspect it, so better be safe than sorry, i need those sessions invalidated asap

Greetings

It was the one from above: https://fly.io/user/personal_access_tokens

As far as I know, that should work for everyone…

If you have a Support plan, then it would be best to use one of the paid-support channels:

https://fly.io/docs/about/support/#email-support

https://fly.io/docs/about/support/#support-portal

In contrast, the community forum here is generally more for discussion and tips and not the optimal route for urgent matters.


I’m not 100% sure on this final option, but I believe you can also email security@fly.io in cases of a suspected breach. That’s the address from the “Talk to the Team” button on the official security page:

https://fly.io/security/

They consider revocation to be an essential principle of login credentials, to the best of my knowledge, so I’m sure it can be resolved…

Thank you very much for your time and guidance. Unfortunatly the link Sign in to Your Account · Fly does redirect me on my dashboard.
I’ll try the email support, even though i don’t have a support subscription.

Greetings !