Allow per-session log out
Open, LowPublic
Actions

Assigned To

None

Authored By

	liangent
	Mar 14 2012, 10:03 AM

Description

MediaWiki core handles logout by clearing browser cookies; if the user is also logged in on a different device, that's not affected.
CentralAuth, on the other hand, changes the user token stored in the global user table on logout, so all sessions are invalidated. This is more secure but also more annoying - there's no way (without manual cookie tampering) to log in and out on e.g. a public library computer without getting logged out on all my devices.

Security concerns aside, replicating the core behavior in CentralAuth would be very hard you'd have to delete the cookies on all the other domains as well (see T124409: Logging out immediately logs you back in) so this would require tracking all open sessions in the database (ie. instead of the current user_token field, or gu_auth_token for CentralAuth, have something that's in many-to-one relationship with the user record).

Details

Reference: bz35220

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Open	Feature	None	T58212 Add a feature to track and terminate specific login sessions
		Open		None	T37220 Allow per-session log out

Event Timeline

• bzimport raised the priority of this task from to Low.Nov 22 2014, 12:19 AM

• bzimport added a project: MediaWiki-extensions-CentralAuth.

• bzimport set Reference to bz35220.

• bzimport added a subscriber: Unknown Object (MLST).

liangent created this task.Mar 14 2012, 10:03 AM

This works correctly in MediaWiki, but CentralAuth removes MediaWiki's token and changes its token on logout, so it invalidates other sessions.

• werdna unsubscribed.Dec 10 2014, 5:45 PM

He7d3r mentioned this in T51890: Logging out on a different device logs me out everywhere else.Apr 2 2015, 3:39 AM

He7d3r updated the task description. (Show Details)

He7d3r added a project: MediaWiki-User-login-and-signup.

He7d3r set Security to None.

Nemo_bis added a project: MediaWiki-Core-AuthManager.Jul 18 2015, 7:24 PM

Nemo_bis subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 18 2015, 7:24 PM

Tgr updated the task description. (Show Details)Aug 28 2015, 11:17 PM

Tgr updated the task description. (Show Details)

Tgr added a subtask: T110277: Rewrite Special:UserLogin (and signup) and Special:UserLogout to use AuthManager.Aug 28 2015, 11:20 PM

Anomie mentioned this in T116413: Security review for SessionManager.Nov 2 2015, 7:04 PM

Anomie closed subtask T110277: Rewrite Special:UserLogin (and signup) and Special:UserLogout to use AuthManager as Resolved.May 16 2016, 7:16 PM

Anomie mentioned this in T73066: Users are not logged out when logging in as another user.Jun 16 2016, 6:26 PM

Mainframe98 mentioned this in T209579: MediaWiki should log user out of all sessions when going to Special:Userlogout.Nov 15 2018, 12:58 PM

RoySmith mentioned this in T217914: Prevent accidental logouts on desktop Vector skin when using a mobile device.May 1 2019, 4:15 PM

I'd really like to see this implemented. It's especially annoying in combination with T217914. If I mis-tap on my tablet, my desktop gets logged out too. I also have 2FA enabled, so it's doubly annoying. And, if I don't have my phone with me (or it's broken, etc), in a single errant finger-tap, I've inflicted a DOS attack on myself across my multiple devices.

The ability to deauthorize all existing login cookies across all devices is indeed a useful thing, and can be a valuable security tool if you've accidentally left yourself logged in someplace where you're no longer physically located. But, that should be an option, not the default behavior.

We should have a currently logged-in panel in the Preferences section that would allow us to logout sessions from elsewhere, in case we have left accounts logged in, on old or public devices. Furthermore, we should also have an option to log out from all devices in case we believe that our account is compromised or in privileged changes, apart from password changes, attempts to change 2FA/email for example.

Duplicate of T51890?

In T37220#5157831, @Jdlrobson wrote:

Duplicate of T51890?

In that task you say that you cannot be logged in more than once place, which is not true (anymore atleast?). The logout in one place invalidates the tokens set elsewhere, which is not acceptable behaviour.

Jdforrester-WMF merged a task: T51890: Logging out on a different device logs me out everywhere else.May 6 2019, 6:13 PM

Jdforrester-WMF added subscribers: Jdforrester-WMF, DonTrung, Ash_Crow and 23 others.

Tgr removed a subtask: T110277: Rewrite Special:UserLogin (and signup) and Special:UserLogout to use AuthManager.May 7 2019, 4:47 PM

Tgr updated the task description. (Show Details)May 7 2019, 4:50 PM

Tgr updated the task description. (Show Details)May 7 2019, 4:58 PM

Tgr updated the task description. (Show Details)

Tgr added a parent task: T58212: Add a feature to track and terminate specific login sessions.May 7 2019, 5:09 PM

Tgr updated the task description. (Show Details)May 7 2019, 5:12 PM

@Tgr is this triaged? It's a 7-year old bug/''essential feature'' request.

In T37220#5777742, @Ankit-Maity wrote:

@Tgr is this triaged? It's a 7-year old bug/''essential feature'' request.

Well, the priority (inherited from bugzilla times) is set to Low, not Untriaged, so for some value of triaged, yes.
More to the point, authentication UX isn't really owned by any currently existing team, I think.
The community wishlist is probably the best way of getting something without a clear ownership registered as an "essential feature" these days (when it is not restricted to sister projects, anyway).

• Elitre unsubscribed.Jan 21 2020, 6:49 PM