Logging out on a different device logs me out everywhere else
OpenPublic

Assigned To
None
Priority
High
Author
Jdlrobson
Subscribers
liangent, Jaredzimmerman-WMF, Maryana and 17 others
Projects
Tokens
"Like" token, awarded by Jdlrobson.
Reference
bz49890
Description

It is very common to find yourself continuously logging in on mobile/desktop when you use both. According to Brion Vibber this is because you cannot login and remain logged in on more than one device.

Not sure how to fix but it would nice to stay logged in on both desktop and mobile for a month.


Version: unspecified
Severity: major
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=35220

bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz49890.
Jdlrobson created this task.Via LegacyJun 20 2013, 5:17 PM
brion added a comment.Via ConduitJun 20 2013, 5:42 PM

This can be tough to reproduce because session cookies might be sitting around, as might global cookies and.... it gets scary. ;)

But fundamental problem is that there's only a single user_token value, which holds the magic saved cookie that verifies you and restarts your session after the session cookies are gone.

To stay logged in reliably on multiple devices, we need to be able to store multiple remembered-login tokens.

csteipp added a comment.Via ConduitJun 20 2013, 6:03 PM

You should get the same token in both sessions, but I'll check that scenario. I wouldn't be surprised if we try to regenerate at some point when you have the remember me checked.

I need to rework some of the token handling in general, so I'll probably look into this after OAuth is out. If this is a serious issue, please adjust the priority and we'll shift things around.

Jdlrobson added a comment.Via ConduitJun 20 2013, 6:11 PM

I'd say this is pretty high priority for the mobile team. Logging in on mobile is a pain and a lot of our workflows are optimised to be as simple as possible once logged in and all editing on mobile requires authentication in the current state. Any help here would be greatly appreciated.

Jdlrobson added a comment.Via ConduitJul 11 2013, 9:07 PM

OK I can replicate this now:

Login on mobile
Login on desktop
Logout on desktop
Now you are also logged out on mobile

Vice versa
Login on mobile
Login on desktop
Logout on mobile
You are now logged out on desktop.

csteipp added a comment.Via ConduitJul 11 2013, 9:18 PM

Yes. Logging *out* refreshes a token, so other logged in sessions will be invalidated. This was done by Tim in 2008, and as I understand it, it's by design.

I personally like that it works this way, in case a user forgets they logged in somewhere and left the browser open. however we could do something like facebook, and provide a button in the user's preferences to log out any other sessions.

Jdlrobson added a comment.Via ConduitJul 12 2013, 5:16 PM

Tim, is this something we want to reconsider?

Personally I spend a lot of time over many devices. A lot of the time I might log into my account temporarily on a friends machine and logout. Being logged out on mobile and having to log in again is a pain and breaks my mobile workflow and I'm sure the workflows of others.

Jared - this doesn't seem to be a good user experience. The situation where a user forgets they logged in somewhere doesn't quite hold much weight for me - in this age we have incognito windows, we have a box that says 'keep me logged in' on the login form (I'd assume this would logout that session on closing my browser window) and all sorts of other ways to protect us from this. It seems we could still support this but as more of a power user feature - either as part of the logout process or a user preference.

Thoughts?

brion added a comment.Via ConduitJul 12 2013, 5:20 PM

I strongly concur with Jon on this one; users (or at least I!) expect to be able to remain logged in on multiple devices, and our current user experience is Broken with a big ol' B.

As far as I know, CentralAuth just inherited the same single-token design from MediaWiki's local auth; I don't think it was a deliberate design decision.

Jaredzimmerman-WMF added a comment.Via ConduitJul 12 2013, 6:01 PM

I do think this opens a can of worm for needing an interface for remote logging out of other devices which i really don't want to tackle right now. I've seen both patterns work well (A. log out one place logs you out globally, vs. B.log out on one device only logs you out on that device) One feels more secure (A) where as (B) feels more casual but convenient. From a UX perspective I don't actually have a point of view on this as long as we're being consistent.

If we want to wait until we have a UI for logging out of all or logging out of specific devices available to users I'd be fine with a log out once logs you out everywhere behavior until we can get the multiple login behavior to where we want it.

Qgil added a comment.Via ConduitJul 15 2013, 4:16 PM

I thought I was the only one having this annoying problem...

I don't keep a mobile login session for more than one day, even if I don't touch my laptop at all (I realized this weekend, when I had only my mobile device, no laptop).

csteipp added a comment.Via ConduitJul 15 2013, 4:39 PM

Hi Quim, if you didn't use another browser where you actually clicked logout, then you're hitting another issue.

Has anyone on the mobile team verified how long a cookie, set for the session duration, actually lasts on a mobile device? I know both bugzilla and gerrit seem to also timeout pretty quickly on my phone, whereas they last almost forever on desktop.

Jdlrobson added a comment.Via ConduitJul 15 2013, 5:49 PM

Opened bug 51377 for the other issue. Let's discuss it there.

jayvdb added a comment.Via ConduitJul 29 2013, 2:26 AM

I am regularly being logged out when using two different browsers (Firefox and Chrome) on the same workstation. I log out of one browser, and I am automatically logged out of the other one. Is this bug the cause? (should the summary be 'log out is always global') MediaWiki:Logouttext should mention that the logout is now global. Is it a regression or planned feature?

Aklapper added a comment.Via ConduitDec 9 2013, 4:07 PM

(In reply to comment #12)

I am regularly being logged out when using two different browsers (Firefox
and
Chrome) on the same workstation. I log out of one browser, and I am
automatically logged out of the other one. Is this bug the cause? (should
the
summary be 'log out is always global') MediaWiki:Logouttext should mention
that the logout is now global. Is it a regression or planned feature?

jayvdb: Is the situation still as described?

csteipp added a comment.Via ConduitDec 9 2013, 6:22 PM

(In reply to comment #13)

(In reply to comment #12)
> I am regularly being logged out when using two different browsers (Firefox
> and
> Chrome) on the same workstation. I log out of one browser, and I am
> automatically logged out of the other one. Is this bug the cause? (should
> the
> summary be 'log out is always global') MediaWiki:Logouttext should mention
> that the logout is now global. Is it a regression or planned feature?

jayvdb: Is the situation still as described?

Yes, logout is global

hashar added a comment.Via ConduitJul 1 2014, 8:26 PM

The browsertests are most probably impacted. They are run concurrently in virtual instances and wiki that have shared auth. Whenever a test ends up login out the user, the other tests running in different instances are being logged out.

I am highly suspecting this bug report to be the cause of our mysterious logout and started a thread on QA mailing list about it:

[QA] browser tests race condition with login/logout
http://lists.wikimedia.org/pipermail/qa/2014-July/001643.html

Some site let you login from different devices and list the valid sessions in your user preference. Ie session vary by browser or IP (can't remember details). You can then manually invalidate a session.

I think Phabricator is using that system.

MZMcBride added a comment.Via ConduitJul 16 2014, 5:24 AM

(In reply to Chris Steipp from comment #5)

Yes. Logging *out* refreshes a token, so other logged in sessions will be
invalidated. This was done by Tim in 2008, and as I understand it, it's by
design.

Done by Tim in the CentralAuth extension? Cross-referencing a commit or SVN revision would be helpful for me.

The current behavior (log out anywhere logs out everywhere) has probably become the expected behavior. I've personally relied on the behavior to stop adminbots running under my account, as I recall.

I would like to think that most users typically stay logged in on their devices or use incognito mode on a public computer, but perhaps this is an overly optimistic view.

I personally like that it works this way, in case a user forgets they logged
in somewhere and left the browser open. however we could do something like
facebook, and provide a button in the user's preferences to log out any
other sessions.

[[mw:Extension:SecureSessions]], of course.

Withoutaname added a comment.Via ConduitJul 16 2014, 5:44 AM

User experience versus security again...

Well, I suppose you could simply store it as yet another user preference, so people who prefer user experience have their way and people who prefer security (log out of all browser sessions) also have their way.

tstarling added a comment.Via ConduitJul 16 2014, 6:20 AM

Before CentralAuth, logout was local, and password change was an effective global logout, invalidating all sessions and persistent cookies. I remember reimplementing this policy in r5523, I had no problem with it.

The change in policy for CentralAuth was apparently done by Andrew Garrett in r33061. The doc comment on resetAuthToken() indicates that it was a deliberate policy -- although the fact that it is a different policy from the core was not noted. I reviewed it at the time (as evidenced by r33063), but I don't think I considered the logout policy beyond accepting the emphatic rationale in the doc comment.

I am fine with the idea of making logout local again, but I think a nice additional feature would be to add a button to the logout success page which allows you to explicitly log out from all devices, without having to reset your password.

MZMcBride added a comment.Via ConduitJul 21 2014, 12:30 AM

(In reply to Tim Starling from comment #18)

I am fine with the idea of making logout local again, but I think a nice
additional feature would be to add a button to the logout success page which
allows you to explicitly log out from all devices, without having to reset
your password.

Yes, a "log me out everywhere" button sounds like a good idea.

Assuming the logout behavior is changed here at all, a more minimal approach would be to only inform the user in a post-logout message if additional sessions remain open/active.

In my opinion, given that this is a proposed change in perhaps expected behavior (i.e., I imagine some users now expect "log out" to log them out everywhere), user notification in a post-logout message is a hard requirement, while adding an additional tool to actively kill sessions would be a soft requirement.

Awjrichards removed a subscriber: Awjrichards.Via WebDec 3 2014, 5:44 PM
werdna removed a subscriber: werdna.Via WebDec 10 2014, 5:14 PM
Jdlrobson awarded a token.Via WebJan 21 2015, 12:11 AM
Jdlrobson moved this task to Not MobileFrontend specific on the Mobile workboard.
hashar removed a subscriber: hashar.Via WebTue, Feb 3, 1:39 PM

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.