Page MenuHomePhabricator
Create Task
Maniphest T73066

Users are not logged out when logging in as another user
Open, LowPublic
Actions

Description

When already logged in, the login form (after I7e40c13a6ca5) will allow users to log in again as another user. However, in this scenario, LoginForm does not call $user->logout() on the original user.

The question: should it?

Extensions may be expecting the appropriate hooks to be called any time a user ends their session (and in this case, even though they are switching users, it can be considered an end to the session).

For example, Extension:SecureSessions keeps track of where a user is logged in, and shows that information to the user. However, it depends on the UserLogout hook to know when a session is terminated.

Version: unspecified
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=70855

Details

Reference
bz71066

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:57 AM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz71066.
bzimport added a subscriber: Unknown Object (MLST).
Parent5446 created this task.Sep 19 2014, 8:04 PM
matmarex added a comment.Sep 19 2014, 9:18 PM

(In reply to Tyler Romeo from comment #0)

Extensions may be expecting the appropriate hooks to be called any time a
user ends their session (and in this case, even though they are switching
users, it can be considered an end to the session).

For example, Extension:SecureSessions keeps track of where a user is logged
in, and shows that information to the user. However, it depends on the
UserLogout hook to know when a session is terminated.

I don't see how this can possibly work when a user can just clear their cookies? I must be missing something.

Parent5446 added a comment.Oct 16 2014, 11:32 AM

Somehow didn't see the response.

Yes it is not entirely accurate. However, think about the workflow for this. If somebody closes out there browser on another computer and the cookies are cleared for whatever reason, the user will probably not be surprised to see that session still listed.

But if a user explicitly logs off of a computer (or in this scenario, logs in as another user and then logs out), and then goes later to see that session still listed in their list of sessions, it will definitely be confusing and they might wonder whether they were actually logged out or not.

That is why I think it would be best to, at the very least, try and make the session list as accurate as it can possibly be.

Tgr added a subtask: T110277: Rewrite Special:UserLogin (and signup) and Special:UserLogout to use AuthManager.Sep 1 2015, 3:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 1 2015, 3:50 AM
Anomie closed subtask T110277: Rewrite Special:UserLogin (and signup) and Special:UserLogout to use AuthManager as Resolved.May 16 2016, 7:16 PM
Anomie subscribed.Jun 16 2016, 6:26 PM

This sounds like the sort of thing where someone should really do some research on user expectations rather than just guessing, particularly considering that with CentralAuth calling $user->logout() on one session will result in all sessions being logged out (see T37220).

I also note that sessions silently disappear if you simply don't load any pages for the duration of $wgObjectCacheSessionExpiry. But if "remember me" was checked a new session will be silently created without going through a new login. And things like OAuth complicate the issue even further since they don't support login or logout at all.

To really show an accurate list of sessions, you'd need to track creation and removal of sessions rather than logins and logouts, and you'd need to be able to check in the session store to see if a session still exists. This might actually be possible with SessionManager, FWIW: the 'SessionMetadata' hook could be used to track session creation and associated-user changes while getSessionById() can check if a session still exists.

LucasWerkmeister mentioned this in T232789: List active MediaWiki sessions for your account.Sep 12 2019, 9:54 PM
QEDK mentioned this in T58212: Add a feature to track and terminate specific login sessions.Apr 15 2020, 6:37 AM
Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits