Don't allow multiple concurrent sessions for same user account about server HOT 4 CLOSED

Could you elaborate why?

from server.

Assuming an attacker gained access to an account, the simplest solution would be to change the password of said account. But what if the user could not log in to change the password because the session was already active somewhere else? The user is now locked out completely and the hacker has unlimited access.

The biggest risk is that session tokens can be stolen. In this case, multiple devices will use the same session, so to your backend, that's still just one concurrent login.

from server.

When someone got compromised the way to go is to drop all auth tokens for that user.

This can be done via the command line:

sudo -u www-data php occ user:auth-tokens:list <user>
sudo -u www-data php occ user:auth-tokens:delete <user>

Or when logging in as the user navigating to /index.php/settings/user/security and revoking all the tokens:

To revoke the "existing" session, just hit the logout button.

On that note, changing the password and email requires password confirmation, so a stolen session is not enough.

Additionally you should think about setting up 2FA. But binding a session to something else is just doomed to create problems along the way.

Having said all that, if you are scared on that level, you should never be running 27.1.2 at this point (but you seem to as per #44169 ). The current version is 27.1.7
You should also consider updating to 28.0.3

from server.

@nickvergessen are those commands documented anywhere? 🤔

# occ user:auth-tokens:list <username>

  There are no commands defined in the "user:auth-tokens" namespace.

  Did you mean this?
      user

from server.