Page MenuHomePhabricator
Create Task
Maniphest T3548

Security: no forced logout on multiple logins
Closed, DeclinedPublic
Actions

Description

Author: hemanshu_desai

Description:
MediaWiki allows people to login under same username from different computers at
the same time. This means that if I forget to logout from a computer, anyone at
that computer can access Wikipedia and pretend to be me. This is a security hazard.

Version: unspecified
Severity: enhancement

Details

Reference
bz1548

Revisions and Commits

Unknown Object (Diffusion Commit)

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 8:15 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz1548.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Feb 17 2005, 12:25 PM
bzimport added a comment.Feb 17 2005, 1:13 PM

richholton wrote:

I would be against this kind of feature, unless it was an individual user option.

I setup my laptop to "remember me between sessions". Basically, I never logout.
I would be very disappointed if this would mean I could not use Wikipedia from
another system.

Also, it would really do nothing to help security. If you forget to logout from
computer A, how will preventing you from logging in from computer B help?
Computer A remains open for anyone to use either way.

bzimport added a comment.Feb 20 2005, 4:17 AM

hemanshu_desai wrote:

(In reply to comment #1)

I would be against this kind of feature, unless it was an individual user option.

Also, it would really do nothing to help security. If you forget to logout from
computer A, how will preventing you from logging in from computer B help?
Computer A remains open for anyone to use either way.

The idea is not to prevent login from computer B but if same login is from
computer B, the user from computer A should be logged off automatically... again
when you login on computer A, the login at computer B should expire so that
noone else can use it.

Hemanshu

bzimport added a comment.Feb 20 2005, 5:24 AM

richholton wrote:

The idea is not to prevent login from computer B but if same login is from
computer B, the user from computer A should be logged off automatically... again
when you login on computer A, the login at computer B should expire so that
noone else can use it.

Of course. This makes sense. However, if someone has "remember password across
sessions" checked in preferences, then this would not occur. Am I correct?

hashar added a comment.Mar 4 2005, 1:21 PM

I am totally against that feature, I use the same account on multiple
computers and browsers at home.
Users should probably remember to logout when they use their account
on another computer.

tstarling added a comment.Mar 9 2005, 4:15 AM

Changed severity to enhancement and priority to low, given the opposing comments
above.

epriestley changed the task status from Declined to Resolved by committing Unknown Object (Diffusion Commit).Mar 4 2015, 8:22 AM
epriestley added a commit: Unknown Object (Diffusion Commit).
Aklapper changed the task status from Resolved to Declined.Mar 4 2015, 11:42 AM
Aklapper claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits