GSoC-2021 with OpenMRS week 9

Security Issues with OpenMRS

Last week, I started thinking of improving session management in our OMRS system. My major goal was to improve the password change mechanism so-that after a successful password change, all user sessions are invalidated and the user is redirected back to the login screen. This is the functionality i also intend to implement on user log out from the system.
My obligation is locking out an hacker from the system on user logout, or password change if he/she had access to the user account credentials.

User session graphical simulation.

The simple image above depicts the simulation where a user logs into the system with more than one devices(different browsers like chrome, Firefox and Firefox-private window), were each device represents a different session of the same user.

Algorithm

# I have created a java.util.Map Object to temporarily store sessions per user.
# Each time the user logs into the system, his session is recorded and parsed in the map.
# On password change, all user sessions are invalidated
# On user logging out, all his sessions are removed.

The only blocker here is getting the most convenient place to implement this. This brought up some suggestion whether it should be in Core or updating the CurrentUser.java class in Legacyui module.

openmrs-module-legacyui/CurrentUsers.java at master · openmrs/openmrs-module-legacyui

This work is still in development, and i think it might be my last issue as far as GSoC 2021 is concerned.
Thank you all for viewing this.