Page MenuHomePhabricator

Users are not logged out when logging in as another user
Open, LowPublic

Description

When already logged in, the login form (after I7e40c13a6ca5) will allow users to log in again as another user. However, in this scenario, LoginForm does not call $user->logout() on the original user.

The question: should it?

Extensions may be expecting the appropriate hooks to be called any time a user ends their session (and in this case, even though they are switching users, it can be considered an end to the session).

For example, Extension:SecureSessions keeps track of where a user is logged in, and shows that information to the user. However, it depends on the UserLogout hook to know when a session is terminated.


Version: unspecified
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=70855

Details

Reference
bz71066

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:57 AM
bzimport set Reference to bz71066.
bzimport added a subscriber: Unknown Object (MLST).

(In reply to Tyler Romeo from comment #0)

Extensions may be expecting the appropriate hooks to be called any time a
user ends their session (and in this case, even though they are switching
users, it can be considered an end to the session).

For example, Extension:SecureSessions keeps track of where a user is logged
in, and shows that information to the user. However, it depends on the
UserLogout hook to know when a session is terminated.

I don't see how this can possibly work when a user can just clear their cookies? I must be missing something.

Somehow didn't see the response.

Yes it is not entirely accurate. However, think about the workflow for this. If somebody closes out there browser on another computer and the cookies are cleared for whatever reason, the user will probably not be surprised to see that session still listed.

But if a user explicitly logs off of a computer (or in this scenario, logs in as another user and then logs out), and then goes later to see that session still listed in their list of sessions, it will definitely be confusing and they might wonder whether they were actually logged out or not.

That is why I think it would be best to, at the very least, try and make the session list as accurate as it can possibly be.

This sounds like the sort of thing where someone should really do some research on user expectations rather than just guessing, particularly considering that with CentralAuth calling $user->logout() on one session will result in all sessions being logged out (see T37220).

I also note that sessions silently disappear if you simply don't load any pages for the duration of $wgObjectCacheSessionExpiry. But if "remember me" was checked a new session will be silently created without going through a new login. And things like OAuth complicate the issue even further since they don't support login or logout at all.

To really show an accurate list of sessions, you'd need to track creation and removal of sessions rather than logins and logouts, and you'd need to be able to check in the session store to see if a session still exists. This might actually be possible with SessionManager, FWIW: the 'SessionMetadata' hook could be used to track session creation and associated-user changes while getSessionById() can check if a session still exists.