FEATURE: logging out logs you out everywhere

can be disabled by changing the setting "log_out_strict" to false

config/locales/server.en.yml

@@ -768,6 +768,7 @@ en:
     email_domains_blacklist: "A list of email domains that users are not allowed to register accounts with. Example: mailinator.com trashmail.net"
     email_domains_whitelist: "A list of email domains that users MUST register accounts with. WARNING: Users with email domains other than those listed will not be allowed!"
     forgot_password_strict: "Don't inform users of an account's existance when they use the forgot password dialog."
+    log_out_strict: "When logging out, log out ALL sessions for the user on all devices"
     version_checks: "Ping the Discourse Hub for version updates and show new version messages on the /admin dashboard"
     new_version_emails: "Send an email to the contact_email address when a new version of Discourse is available."
 

config/site_settings.yml

@@ -234,6 +234,7 @@ login:
     default: ''
     type: list
   forgot_password_strict: false
+  log_out_strict: true
 
 users:
   min_username_length:

lib/auth/default_current_user_provider.rb

@@ -82,6 +82,11 @@ class Auth::DefaultCurrentUserProvider
   end
 
   def log_off_user(session, cookies)
+    if SiteSetting.log_out_strict && (user = current_user)
+      user.auth_token = nil
+      user.save!
+      MessageBus.publish "/logout", user.id, user_ids: [user.id]
+    end
     cookies[TOKEN_COOKIE] = nil
   end
 

lib/current_user.rb

@@ -27,7 +27,7 @@ module CurrentUser
   end
 
   def current_user
-    c = current_user_provider.current_user
+    current_user_provider.current_user
   end
 
   private