If you're already logged in, you can not longer directly log in as another user (such as with bots, different privilege or role accounts, sockpuppets, etc) without first logging out.
This is annoying and shouldn't have happened.
Version: 1.24rc
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=71066
swalling wrote:
This is an odd regression. For reproducibility:
Expected behavior: until recently, you should have been able to visit Special:UserLogin while authenticated as another account. The form then tells you that you are already logged in and allows you to login as a separate user.
The issue fixed by the bug is pretty important, so simply reverting the patch will not actually solve anything.
IMO, the bug described (switching between accounts) should really be solved by some sort of account switcher, e.g., like Google has.
Indeed, but it should be easy enough to show the form instead of redirecting when the user is logged in and there's no 'returnto' parameter.
To play devils advocate, why would you want to visit the login form whilst logged in? What is wrong with logging out and then visiting it?
(In reply to Bartosz Dziewoński from comment #5)
Indeed, but it should be easy enough to show the form instead of redirecting
when the user is logged in and there's no 'returnto' parameter.
(In reply to Jon from comment #6)
To play devils advocate, why would you want to visit the login form whilst
logged in? What is wrong with logging out and then visiting it?
These two sort of go together.
The only situation in which there would be no 'returnto' parameter is if you manually navigated to the login page by typing "Special:Userlogin" in the search bar (or by entering it in your address bar). I feel like it is much easier and trivial to simply click Logout and then log back in again.
We might be able to improve the experience by having the logout page redirect back to the login page automatically, and just display a message saying you were logged out.
However logging out can cause problems because it invalidates all login sessions. If a user is operating a bot and switches to remove the new message talk page notice, it logs the bot out.
Honestly I think what this is fixing is a mole hill compared to the mountain of problems that it creates.
(In reply to Betacommand from comment #8)
However logging out can cause problems because it invalidates all login
sessions. If a user is operating a bot and switches to remove the new
message talk page notice, it logs the bot out.
That is CentralAuth, not a property of core.
Actually its not. That particular issue has existed for as long as I can remember (~2006) If I log in via a bot, the cookies/session is kept and reused as needed. If I then login via a web browser, both sessions work. However if I log out via the web browser, the session/tokens that the bot have been using get invalidated and cause the bot to no longer be logged in.
That is about as core as one can get, prior to this a user could be logged in as themselves, note their bot has a new message, log into the bot account, clear the message, and then log back into the main account without ever logging out. This enables multiple logins and does not cause issues where the bot or user gets logged out on other devices/locations.
(In reply to Betacommand from comment #10)
Actually its not. That particular issue has existed for as long as I can
remember (~2006) If I log in via a bot, the cookies/session is kept and
reused as needed. If I then login via a web browser, both sessions work.
However if I log out via the web browser, the session/tokens that the bot
have been using get invalidated and cause the bot to no longer be logged in.That is about as core as one can get, prior to this a user could be logged
in as themselves, note their bot has a new message, log into the bot
account, clear the message, and then log back into the main account without
ever logging out. This enables multiple logins and does not cause issues
where the bot or user gets logged out on other devices/locations.
I can assure you that MediaWiki core does not simultaneously log out all sessions. All logging out does is clear your cookies. I also just tested this on my Vagrant instance using two different browsers,
https://bugzilla.wikimedia.org/show_bug.cgi?id=49890
There was discussion on mailing lists about killing this behaviour.
Change 161465 had a related patch set uploaded by Bartosz Dziewoński:
Allow logged-in users to view and use the login form
Change 161465 merged by jenkins-bot:
Allow logged-in users to view and use the login form again
Patch merged in master, leaving this open until it's clean if we need to backport to 1.24, or if it will be included.
Change 162120 had a related patch set uploaded by Legoktm:
Allow logged-in users to view and use the login form again
Change 162120 merged by jenkins-bot:
Allow logged-in users to view and use the login form again
(Per bug 15484 comment 27 it hasn't. The fix here only changes any behavior if a user types "Special:UserLogin" in the search box or address bar, or otherwise directly visits the login page.)
swalling wrote:
(In reply to Bartosz Dziewoński from comment #21)
(Per bug 15484 comment 27 it hasn't. The fix here only changes any behavior
if a user types "Special:UserLogin" in the search box or address bar, or
otherwise directly visits the login page.)
Tested and confirmed on Beta Labs.
Thanks Bartosz.