Add option to invalidate session cookie on disconnect

Issue: Add option to invalidate session cookie on disconnect

Problem

When using occtl disconnect user <username>, the user's session is terminated but the session cookie remains valid in sec-mod's client database. This allows clients (like openconnect with saved cookies) to automatically reconnect within seconds without re-authentication.

In multi-server VPN setups where only one active session per user is desired, this behavior makes it impossible to reliably force a user to disconnect from one server when connecting to another.

Current behavior

  1. User connects to server and receives session cookie
  2. Admin runs occtl disconnect user <username>
  3. Worker process is killed, user is disconnected
  4. Client automatically reconnects using saved cookie (within 1 second)
  5. User is connected again without re-authentication

Expected behavior

Admin should have an option to invalidate the session cookie when disconnecting a user, preventing automatic reconnection with saved cookies.

Proposed solution

Add --invalidate (or -i) flag to occtl disconnect user and occtl disconnect id commands:

occtl disconnect user --invalidate <username>
occtl disconnect user -i <username>
occtl disconnect id --invalidate <id>
occtl disconnect id -i <id>

When this flag is used:

  1. The worker process is terminated (existing behavior)
  2. A new IPC command (CMD_SECM_INVALIDATE_COOKIE) is sent to sec-mod
  3. Sec-mod removes the user's cookie from its client database
  4. Client cannot reconnect without re-authentication

Use case

Multi-server VPN deployment where:

  • Multiple ocserv instances serve different locations
  • Users should only have one active session at a time
  • Connect script on server A should disconnect user from server B with cookie invalidation
  • This ensures user fully migrates to new server without automatic reconnection to old one

Implementation

I have implemented this feature and tested it on ocserv 1.4.0. Ready to submit a merge request if this approach is acceptable.

Changes include:

  • New invalidate_cookie field in username_req and id_req (ctl.proto)
  • New CMD_SECM_INVALIDATE_COOKIE IPC command
  • New secm_invalidate_cookie_msg message type (ipc.proto)
  • Handler in sec-mod to delete cookies from client_db
  • Modified occtl to parse -i/--invalidate flag

Environment

  • ocserv version: 1.4.0
  • OS: Ubuntu 22.04 / Arch Linux
  • Client: openconnect with cookie persistence