

View Active Browser Sessions - ruswick
https://github.com/blog/1658-view-active-browser-sessions

======
cheald
If any GitHubbers are listening, please require credentials to revoke a
session. Imagine the scenario in which a bad actor gets one of my session
cookies - he can then hit this page, invalidate all of my sessions, and then
aggressively use this page to keep me logged out of any new sessions,
effectively locking me out of my account and preventing me from kicking _him_
out.

Requiring authentication to revoke a session would fix that handily (or just
make new sessions immune to revocation for 5 minutes or something)

That said, :thumbsup: on this. I really like having this kind of information
available.

~~~
joshpeek
It should require "sudo" privileges now.

~~~
cheald
Awesome. Thank you!

