Users should have a UI for managing sessions

[jorbin]

After the work to add logged-in session code under the hood in 4.0, We should aim to provide users with controls on the user profile screen and user editing screen for managing logged-in sessions.

Feature Plugin: ​https://github.com/johnbillion/wp-session-manager

[jorbin]

As we had discussed in the dev chat, I've written up a patch that adds a button to the profile page for destroying sessions and also for capturing IP address, User Agent, and session creation time.

[jorbin]

The new version cleans things up a bit based on feedback from ocean90 and johnbillion.

[ocean90]

30264.4.diff​:

• Adds missing p tag for inline messages
• Adjusts styling for inline messages
• Fixes sprintf( __( 'Log $s out of all sessions' ), $profileuser->display_name );
• Simplifies button selector to #destroy-sessions
• Caches jQuery selector
• Renames sessionmanager to _wpSessionMangager
• Adds translators comments

[johnbillion]

30264.5.diff​ is the final pass at this. Additions:

• Generic error message to avoid introducing multiple strings
• Only displays the button on the profile screen when there are sessions which can be cleared for the user
• Actually store the additional session information against the session

[johnbillion]

In 30333:

Introduce a button on the user profile screen which clears all other sessions, and on the user editing screen which clears all sessions. Only appears when there are applicable sessions which can be cleared.

See #30264.
Props jorbin, ocean90, johnbillion

[johnbillion]

Marking as fixed for 4.1. Future enhancements can go into another ticket.

[ocean90]

In 30334:

Improvements to [30333]:

• Move .hide-if-no-js class to table row
• Add a wrapper class
• Add missing translators comment

see #30264.

[DrewAPicture]

Periods.

[SergeyBiryukov]

In 30596:

Add missing periods to strings introduced in [30333].

props DrewAPicture.
see #30264.

[nacin]

This implementation can currently leak a session token when there is no actual need to do so. While cookies are HTTP Only, the current session token is available on profile.php via JavaScript. All we need to do is check if the current user is the user being edited, and then trash all other cookies. Otherwise it's also possible to log yourself out this way when it isn't designed like that. That's not a CSRF issue as you have a nonce also blocking this, but we can't be leaking a piece of a cookie like this.

I'm making a few other code changes:

• Re-use the update-user_{$id} nonce. No need for a separate nonce here at this time.
• Don't localize any values, we can get them from the form (especially since we're reusing a nonce).
• Use wp_verify_nonce() rather than check_ajax_referer() because there's no benefit to check_ajax_referer(), and the double false actually tripped me up pretty badly.
• Use wp.ajax from wp-util.js rather than parsing the response from wp_send_json() ourselves.
• I'm giving our error/success messages the proper padding by overriding a margin style on .form-table td p.

Finally, I'm making a last-minute UX change:

More than a few testers have wondered why there's no button on the profile page. This may be because we mention this on the about page. It also may be because someone might tell someone else "go here and do that" and the next thing they're going to say is "I don't understand, where is it?" rather than think "OK, I'm good." markjaquith and I both think there should be a disabled button normally. The language is "You are only logged in at this location."

(Note this uses count() === 1, not count() <= 1, because if sessions are for some reason disabled, we shouldn't show anything.)

[nacin]

In 30888:

Updates to the 'Log out everywhere' implementation.

• Include a message and a disabled button when you're only logged in at one location.
• Avoid leaking the session token in HTML.
• Simplify, simplify, simplify.

see #30264.

[johnbillion]

Nice improvements.

[johnbillion]

In 30895:

Updates to the 'Log out everywhere' implementation.

• Include a message and a disabled button when you're only logged in at one location.
• Avoid leaking the session token in HTML.
• Simplify, simplify, simplify.

Merges [30888] to the 4.1 branch.

Fixes #30264.

[SergeyBiryukov]

In 39908:

I18N: Reference correct placeholder in a translator comment added in [30333].

See #30264.