Page MenuHomePhabricator

Allow per-session log out
Open, LowPublic

Description

MediaWiki core handles logout by clearing browser cookies; if the user is also logged in on a different device, that's not affected.
CentralAuth, on the other hand, changes the user token stored in the global user table on logout, so all sessions are invalidated. This is more secure but also more annoying - there's no way (without manual cookie tampering) to log in and out on e.g. a public library computer without getting logged out on all my devices.

Security concerns aside, replicating the core behavior in CentralAuth would be very hard you'd have to delete the cookies on all the other domains as well (see T124409: Logging out immediately logs you back in) so this would require tracking all open sessions in the database (ie. instead of the current user_token field, or gu_auth_token for CentralAuth, have something that's in many-to-one relationship with the user record).

See also:

Details

Reference
bz35220

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 12:19 AM
bzimport set Reference to bz35220.
bzimport added a subscriber: Unknown Object (MLST).

This works correctly in MediaWiki, but CentralAuth removes MediaWiki's token and changes its token on logout, so it invalidates other sessions.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 18 2015, 7:24 PM
Tgr updated the task description. (Show Details)Aug 28 2015, 11:17 PM
Tgr updated the task description. (Show Details)

I'd really like to see this implemented. It's especially annoying in combination with T217914. If I mis-tap on my tablet, my desktop gets logged out too. I also have 2FA enabled, so it's doubly annoying. And, if I don't have my phone with me (or it's broken, etc), in a single errant finger-tap, I've inflicted a DOS attack on myself across my multiple devices.

The ability to deauthorize all existing login cookies across all devices is indeed a useful thing, and can be a valuable security tool if you've accidentally left yourself logged in someplace where you're no longer physically located. But, that should be an option, not the default behavior.

Ankit-Maity added a subscriber: Ankit-Maity.EditedMay 3 2019, 6:21 PM

We should have a currently logged-in panel in the Preferences section that would allow us to logout sessions from elsewhere, in case we have left accounts logged in, on old or public devices. Furthermore, we should also have an option to log out from all devices in case we believe that our account is compromised or in privileged changes, apart from password changes, attempts to change 2FA/email for example.

Duplicate of T51890?

In that task you say that you cannot be logged in more than once place, which is not true (anymore atleast?). The logout in one place invalidates the tokens set elsewhere, which is not acceptable behaviour.

Tgr updated the task description. (Show Details)May 7 2019, 4:50 PM
Tgr updated the task description. (Show Details)May 7 2019, 4:58 PM
Tgr updated the task description. (Show Details)
Tgr updated the task description. (Show Details)May 7 2019, 5:12 PM