logging out on one device logs user out everywhere

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

logging out on one device logs user out everywhere

Jon Robson
(Forked from Re: [Wikitech-l] "Not logged in" page)

Is it time to revisit this behaviour? It's come up as being a usability
problem a few times now.

Currently if I log out of a public computer it logs me out of my tablet
device,mobile device and home computer. :(

See bug for reference [1]

[1] https://bugzilla.wikimedia.org/show_bug.cgi?id=49890
On 15 Jul 2014 18:38, "Bryan Davis" <[hidden email]> wrote:

> On Tue, Jul 15, 2014 at 7:25 PM, Jon Robson <[hidden email]> wrote:
> >> regularly.  I've found mediawiki logs me out despite the 'keep me
> >> logged in' box, when logging out on a different device, etc.
> > Well that's the bug then no and that should be fixed. Help us work out
> why
> > it is occurring and let's get that dealt with.:)
> >
> > We shouldn't be designing features for edge cases!
>
> Logout was discussed recently on the QA list [0]. The discussion lead
> to Jon Robson pointing out bug 49890 [1] where Chris Steipp stated
> that logout is global.
>
> [0]:https://www.mail-archive.com/qa@.../msg01559.html
> [1]: https://bugzilla.wikimedia.org/show_bug.cgi?id=49890
> --
> Bryan Davis              Wikimedia Foundation    <[hidden email]>
> [[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
> irc: bd808                                        v:415.839.6885 x6855
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Steven Walling
On Tuesday, July 15, 2014, Jon Robson <[hidden email]> wrote:

> (Forked from Re: [Wikitech-l] "Not logged in" page)
>
> Is it time to revisit this behaviour? It's come up as being a usability
> problem a few times now.
>
> Currently if I log out of a public computer it logs me out of my tablet
> device,mobile device and home computer. :(
>
> See bug for reference [1]
>
> [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=49890


Yes, this is terrible UX. Logging out or in should only apply to one
device.


> On 15 Jul 2014 18:38, "Bryan Davis" <[hidden email] <javascript:;>>
> wrote:
>
> > On Tue, Jul 15, 2014 at 7:25 PM, Jon Robson <[hidden email]
> <javascript:;>> wrote:
> > >> regularly.  I've found mediawiki logs me out despite the 'keep me
> > >> logged in' box, when logging out on a different device, etc.
> > > Well that's the bug then no and that should be fixed. Help us work out
> > why
> > > it is occurring and let's get that dealt with.:)
> > >
> > > We shouldn't be designing features for edge cases!
> >
> > Logout was discussed recently on the QA list [0]. The discussion lead
> > to Jon Robson pointing out bug 49890 [1] where Chris Steipp stated
> > that logout is global.
> >
> > [0]:https://www.mail-archive.com/qa@.../msg01559.html
> > [1]: https://bugzilla.wikimedia.org/show_bug.cgi?id=49890
> > --
> > Bryan Davis              Wikimedia Foundation    <[hidden email]
> <javascript:;>>
> > [[m:User:BDavis_(WMF)]]  Sr Software Engineer            Boise, ID USA
> > irc: bd808                                        v:415.839.6885 x6855
> >
> > _______________________________________________
> > Wikitech-l mailing list
> > [hidden email] <javascript:;>
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email] <javascript:;>
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Risker
On 15 July 2014 22:28, Steven Walling <[hidden email]> wrote:

> On Tuesday, July 15, 2014, Jon Robson <[hidden email]> wrote:
>
> > (Forked from Re: [Wikitech-l] "Not logged in" page)
> >
> > Is it time to revisit this behaviour? It's come up as being a usability
> > problem a few times now.
> >
> > Currently if I log out of a public computer it logs me out of my tablet
> > device,mobile device and home computer. :(
> >
> > See bug for reference [1]
> >
> > [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=49890
>
>
> Yes, this is terrible UX. Logging out or in should only apply to one
> device.
>
>

Or alternately have a "log out on this device/log out everywhere" option.

Risker/Anne
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Isarra Yos
On 16/07/14 02:50, Risker wrote:

> On 15 July 2014 22:28, Steven Walling <[hidden email]> wrote:
>
>> On Tuesday, July 15, 2014, Jon Robson <[hidden email]> wrote:
>>
>>> (Forked from Re: [Wikitech-l] "Not logged in" page)
>>>
>>> Is it time to revisit this behaviour? It's come up as being a usability
>>> problem a few times now.
>>>
>>> Currently if I log out of a public computer it logs me out of my tablet
>>> device,mobile device and home computer. :(
>>>
>>> See bug for reference [1]
>>>
>>> [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=49890
>>
>> Yes, this is terrible UX. Logging out or in should only apply to one
>> device.
>>
>>
> Or alternately have a "log out on this device/log out everywhere" option.

Aye, they should be separated. The need to log out everywhere is a
special case, but a potentially important one, as there are instances
when users will want to forcibly log out devices they may not have
direct access to (usually specifically because they don't have direct
access to them). It's the sort of thing we'd want to have a special
page/action for, but one that's not necessarily prominent - while the
normal logout would be on every page, this would only be linked from the
preferences, or something.

-I

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Jasper Deng
I've actually found this to be a rather big pet peeve of mine w/
CentralAuth over the years. It would seem that logging out in CentralAuth
means deleting everything in the cache with the user's info in it.

I'd prefer that we did Google's system that, in addition to allowing a
separate "sign out all other sessions" option, also allows users to monitor
which IP addresses their account was accessed from (which however would be
akin to self CheckUser and might run afoul of our privacy policy).


On Tue, Jul 15, 2014 at 8:07 PM, Isarra Yos <[hidden email]> wrote:

> On 16/07/14 02:50, Risker wrote:
>
>> On 15 July 2014 22:28, Steven Walling <[hidden email]> wrote:
>>
>>  On Tuesday, July 15, 2014, Jon Robson <[hidden email]> wrote:
>>>
>>>  (Forked from Re: [Wikitech-l] "Not logged in" page)
>>>>
>>>> Is it time to revisit this behaviour? It's come up as being a usability
>>>> problem a few times now.
>>>>
>>>> Currently if I log out of a public computer it logs me out of my tablet
>>>> device,mobile device and home computer. :(
>>>>
>>>> See bug for reference [1]
>>>>
>>>> [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=49890
>>>>
>>>
>>> Yes, this is terrible UX. Logging out or in should only apply to one
>>> device.
>>>
>>>
>>>  Or alternately have a "log out on this device/log out everywhere"
>> option.
>>
>
> Aye, they should be separated. The need to log out everywhere is a special
> case, but a potentially important one, as there are instances when users
> will want to forcibly log out devices they may not have direct access to
> (usually specifically because they don't have direct access to them). It's
> the sort of thing we'd want to have a special page/action for, but one
> that's not necessarily prominent - while the normal logout would be on
> every page, this would only be linked from the preferences, or something.
>
> -I
>
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Greg Grossmeier-2
<quote name="Jasper Deng" date="2014-07-15" time="21:50:18 -0700">
> I'd prefer that we did Google's system that, in addition to allowing a
> separate "sign out all other sessions" option, also allows users to monitor
> which IP addresses their account was accessed from (which however would be
> akin to self CheckUser and might run afoul of our privacy policy).

https://bugzilla.wikimedia.org/show_bug.cgi?id=27242
and
https://www.mediawiki.org/wiki/Extension:AccountInfo

--
| Greg Grossmeier            GPG: B2FA 27B1 F7EB D327 6B8E |
| identi.ca: @greg                A18D 1138 8E47 FAC8 1C7D |

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Tyler Romeo
In reply to this post by Jasper Deng
On Wed, Jul 16, 2014 at 12:50 AM, Jasper Deng <[hidden email]>
wrote:

> I'd prefer that we did Google's system that, in addition to allowing a
> separate "sign out all other sessions" option, also allows users to monitor
> which IP addresses their account was accessed from (which however would be
> akin to self CheckUser and might run afoul of our privacy policy).
>

https://www.mediawiki.org/wiki/Extension:SecureSessions

*-- *
*Tyler Romeo*
Stevens Institute of Technology, Class of 2016
Major in Computer Science
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Jon Robson
It seems like there is agreement on an approach

As I understand it:
* special button that when clicked logs you out everywhere
* default behaviour is just to log you out on current device

Does anyone want to own this and help move it forward? I've got too
many things on my plate right now, but it's been bothering me for many
years.

Although I don't have time/energy to do all of this, I'm happy to help
out grabbing people to code review any patches, unblock any
disagreements.

/me hopes someone puts their hand up


On Wed, Jul 16, 2014 at 4:06 AM, Tyler Romeo <[hidden email]> wrote:

> On Wed, Jul 16, 2014 at 12:50 AM, Jasper Deng <[hidden email]>
> wrote:
>
>> I'd prefer that we did Google's system that, in addition to allowing a
>> separate "sign out all other sessions" option, also allows users to monitor
>> which IP addresses their account was accessed from (which however would be
>> akin to self CheckUser and might run afoul of our privacy policy).
>>
>
> https://www.mediawiki.org/wiki/Extension:SecureSessions
>
> *-- *
> *Tyler Romeo*
> Stevens Institute of Technology, Class of 2016
> Major in Computer Science
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



--
Jon Robson
* http://jonrobson.me.uk
* https://www.facebook.com/jonrobson
* @rakugojon

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Tyler Romeo
Just to be clear, this is a CentralAuth issue. MediaWiki core already has logout
localized by session, and I have an extension SecureSessions that already has
a feature that shows all your logged in sessions and lets them log out.

It is CentralAuth that does global logout.
-- 
Tyler Romeo
0x405D34A7C86B42DF

From: Jon Robson <[hidden email]>
Reply: Wikimedia developers <[hidden email]>>
Date: July 21, 2014 at 14:35:54
To: Wikimedia developers <[hidden email]>>
Subject:  Re: [Wikitech-l] logging out on one device logs user out everywhere  

It seems like there is agreement on an approach

As I understand it:
* special button that when clicked logs you out everywhere
* default behaviour is just to log you out on current device

Does anyone want to own this and help move it forward? I've got too
many things on my plate right now, but it's been bothering me for many
years.

Although I don't have time/energy to do all of this, I'm happy to help
out grabbing people to code review any patches, unblock any
disagreements.

/me hopes someone puts their hand up


On Wed, Jul 16, 2014 at 4:06 AM, Tyler Romeo <[hidden email]> wrote:

> On Wed, Jul 16, 2014 at 12:50 AM, Jasper Deng <[hidden email]>
> wrote:
>
>> I'd prefer that we did Google's system that, in addition to allowing a
>> separate "sign out all other sessions" option, also allows users to monitor
>> which IP addresses their account was accessed from (which however would be
>> akin to self CheckUser and might run afoul of our privacy policy).
>>
>
> https://www.mediawiki.org/wiki/Extension:SecureSessions
>
> *-- *
> *Tyler Romeo*
> Stevens Institute of Technology, Class of 2016
> Major in Computer Science
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



--  
Jon Robson
* http://jonrobson.me.uk
* https://www.facebook.com/jonrobson
* @rakugojon

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Steven Walling
In reply to this post by Jon Robson
On Mon, Jul 21, 2014 at 11:35 AM, Jon Robson <[hidden email]> wrote:

> It seems like there is agreement on an approach
>
> As I understand it:
> * special button that when clicked logs you out everywhere
> * default behaviour is just to log you out on current device
>

Where would this "log me out of all sessions" button go? Preferences?
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Risker
On 21 July 2014 15:14, Steven Walling <[hidden email]> wrote:

> On Mon, Jul 21, 2014 at 11:35 AM, Jon Robson <[hidden email]> wrote:
>
> > It seems like there is agreement on an approach
> >
> > As I understand it:
> > * special button that when clicked logs you out everywhere
> > * default behaviour is just to log you out on current device
> >
>
> Where would this "log me out of all sessions" button go? Preferences?
>
>


I hope not - the need to log out of a specific session rather than all
sessions would often be situation-specific (e.g., leaving the home computer
logged in while ending a session from the library wi-fi); it would be a
pain to have to keep updating preferences everytime one of those situations
occurs.

Risker/Anne
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Jon Robson
http://en.wikipedia.org/wiki/Special:UserLogout might be an obvious
place (closest to the action)... although not sure how discoverable.

Do you want to logout everywhere <YES> <NO>
[] Remember this decision

It seems like we could split this into 2 features though in the
interest of getting things done. Right now I'm interested in just
fixing the logout behaviour - in this day and age to many people are
using too many different devices and this experience seems very
broken.


On Mon, Jul 21, 2014 at 12:45 PM, Risker <[hidden email]> wrote:

> On 21 July 2014 15:14, Steven Walling <[hidden email]> wrote:
>
>> On Mon, Jul 21, 2014 at 11:35 AM, Jon Robson <[hidden email]> wrote:
>>
>> > It seems like there is agreement on an approach
>> >
>> > As I understand it:
>> > * special button that when clicked logs you out everywhere
>> > * default behaviour is just to log you out on current device
>> >
>>
>> Where would this "log me out of all sessions" button go? Preferences?
>>
>>
>
>
> I hope not - the need to log out of a specific session rather than all
> sessions would often be situation-specific (e.g., leaving the home computer
> logged in while ending a session from the library wi-fi); it would be a
> pain to have to keep updating preferences everytime one of those situations
> occurs.
>
> Risker/Anne
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



--
Jon Robson
* http://jonrobson.me.uk
* https://www.facebook.com/jonrobson
* @rakugojon

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Ricordisamoa
Il 21/07/2014 22:20, Jon Robson ha scritto:

> http://en.wikipedia.org/wiki/Special:UserLogout might be an obvious
> place (closest to the action)... although not sure how discoverable.
>
> Do you want to logout everywhere <YES> <NO>
> [] Remember this decision
>
> It seems like we could split this into 2 features though in the
> interest of getting things done. Right now I'm interested in just
> fixing the logout behaviour - in this day and age to many people are
> using too many different devices and this experience seems very
> broken.
The problem is, that users don't really get addicted to our projects.
They should /never/ need to log themselves out. ;-)

But if they want, a single click (or, maybe, a JavaScript popup like
Echo's asking whether to logout from all devices) should take them out.
There should be no need for an additional step (i.e. reload the page).
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Steven Walling
In reply to this post by Jon Robson
On Mon, Jul 21, 2014 at 1:20 PM, Jon Robson <[hidden email]> wrote:

> http://en.wikipedia.org/wiki/Special:UserLogout might be an obvious
> place (closest to the action)... although not sure how discoverable.
>
> Do you want to logout everywhere <YES> <NO>
> [] Remember this decision
>
> It seems like we could split this into 2 features though in the
> interest of getting things done. Right now I'm interested in just
> fixing the logout behaviour - in this day and age to many people are
> using too many different devices and this experience seems very
> broken.


This seems potentially overcomplicated. Other sites doing this (Facebook,
Google, others) don't put this kind of "close all sessions" option directly
on logout. Let's get some input here from the UX team.
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Jon Robson
Sounds good.
Adding design mailing list.


On Mon, Jul 21, 2014 at 2:02 PM, Steven Walling
<[hidden email]> wrote:

> On Mon, Jul 21, 2014 at 1:20 PM, Jon Robson <[hidden email]> wrote:
>
>> http://en.wikipedia.org/wiki/Special:UserLogout might be an obvious
>> place (closest to the action)... although not sure how discoverable.
>>
>> Do you want to logout everywhere <YES> <NO>
>> [] Remember this decision
>>
>> It seems like we could split this into 2 features though in the
>> interest of getting things done. Right now I'm interested in just
>> fixing the logout behaviour - in this day and age to many people are
>> using too many different devices and this experience seems very
>> broken.
>
>
> This seems potentially overcomplicated. Other sites doing this (Facebook,
> Google, others) don't put this kind of "close all sessions" option directly
> on logout. Let's get some input here from the UX team.
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l



--
Jon Robson
* http://jonrobson.me.uk
* https://www.facebook.com/jonrobson
* @rakugojon

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Chris Steipp
Cool. My $.02 on the feature,

I think this should be managed similar to https-- a site preference,
and users can override the site config with a user preference. I'd
prefer if we could make the site preference (logout all sessions, or
logout only the current session) to be configurable, so we can start
with keeping the setting as is (and users can opt in), then we can
change the site preference later if we decide it's a better tradeoff.

Unlike https, since this feature is for CentralAuth, let's not reuse
core's session management pages (like Special:UserLogout). If we
really have to add another page, it should be a new central auth page.

On Mon, Jul 21, 2014 at 3:03 PM, Jon Robson <[hidden email]> wrote:

> Sounds good.
> Adding design mailing list.
>
>
> On Mon, Jul 21, 2014 at 2:02 PM, Steven Walling
> <[hidden email]> wrote:
>> On Mon, Jul 21, 2014 at 1:20 PM, Jon Robson <[hidden email]> wrote:
>>
>>> http://en.wikipedia.org/wiki/Special:UserLogout might be an obvious
>>> place (closest to the action)... although not sure how discoverable.
>>>
>>> Do you want to logout everywhere <YES> <NO>
>>> [] Remember this decision
>>>
>>> It seems like we could split this into 2 features though in the
>>> interest of getting things done. Right now I'm interested in just
>>> fixing the logout behaviour - in this day and age to many people are
>>> using too many different devices and this experience seems very
>>> broken.
>>
>>
>> This seems potentially overcomplicated. Other sites doing this (Facebook,
>> Google, others) don't put this kind of "close all sessions" option directly
>> on logout. Let's get some input here from the UX team.
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email]
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
>
> --
> Jon Robson
> * http://jonrobson.me.uk
> * https://www.facebook.com/jonrobson
> * @rakugojon
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

MZMcBride-2
Chris Steipp wrote:
>I think this should be managed similar to https-- a site preference,
>and users can override the site config with a user preference.

Please no. There's been a dedicated effort in 2014 to reduce the number
of user preferences. They're costly to maintain and they typically
indicate a design flaw: software should be sensible by default and a user
preference should only be a tool of last resort. The general issue of user
preferences-creep remains particularly acute as global (across a wikifarm)
user preferences still do not exist. Of course in this specific case,
given the relationship with CentralAuth, you probably could actually have
a wikifarm-wide user preference, but that really misses the larger point
that user preferences should be avoided, if at all possible.

I'll start a new thread about my broader thoughts here.

MZMcBride



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Chris Steipp
On Tuesday, July 22, 2014, MZMcBride <[hidden email]> wrote:

> Chris Steipp wrote:
> >I think this should be managed similar to https-- a site preference,
> >and users can override the site config with a user preference.
>
> Please no. There's been a dedicated effort in 2014 to reduce the number
> of user preferences. They're costly to maintain and they typically
> indicate a design flaw: software should be sensible by default and a user
> preference should only be a tool of last resort. The general issue of user
> preferences-creep remains particularly acute as global (across a wikifarm)
> user preferences still do not exist. Of course in this specific case,
> given the relationship with CentralAuth, you probably could actually have
> a wikifarm-wide user preference, but that really misses the larger point
> that user preferences should be avoided, if at all possible.
>
> I'll start a new thread about my broader thoughts here.
>

I think we have too many preferences also, no disagreement there.

But like Risker, I too want to always destroy all my sessions when I logout
(mostly because I log in and out of accounts a lot while testing, and I
like knowing that applies to all the browsers I have open). So I'm biased
towards thinking this is preference worthy, but I do think it's one of
those things that if it doesn't behave as a user expects, they're going to
think it's a flaw in the software and file a bug to change it.

I'm totally willing to admit the expectations I have are going to be the
minority opinion. If it's a very, very small number of us, then yeah,
preference isn't needed, and we can probably get by with a gadget.

Your proposal for account info and session management is good too. I hope
someone's willing to pick that up.



>
> MZMcBride
>
>
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email] <javascript:;>
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Antoine Musso-3
In reply to this post by Jon Robson
Le 16/07/2014 03:52, Jon Robson a écrit :

> (Forked from Re: [Wikitech-l] "Not logged in" page)
>
> Is it time to revisit this behaviour? It's come up as being a usability
> problem a few times now.
>
> Currently if I log out of a public computer it logs me out of my tablet
> device,mobile device and home computer. :(
>
> See bug for reference [1]
>
> [1] https://bugzilla.wikimedia.org/show_bug.cgi?id=49890

Hello,

I would use a system similiar to Github or Phabricator.  When you log
out, it only invalidate your current browser session.   Then in you
preference you have a list of all valid sessions which which you can
manually invalidate.

On Github that is under Settings -> Security
https://github.com/settings/security

That shows me:


== Sessions ==
This is a list of devices that have logged into your account. Revoke any
sessions that you do not recognize.

 Nantes: some IP
 Safari on OS X 10.9.4
 Location: Nantes, France
 Signed in: May 26, 2014

That gives enough information to identify the sessions and invalidate
them if needed.   We could add a tab to Special:Preferences.


An interesting feature on Github is the security history which listnew
sessions and from where I logged on.   Might be worth a look at.


The same goes on for Phabricator, if you are logged in:
 http://fab.wmflabs.org/settings/panel/sessions/

Gives me a table such as:

+--------+-------+----+---------------------+------------+
|Identity|Session|Type|Created            |Expires     |
+--------+-------+----+---------------------+------------+
|hashar  |abcdef |web |Apr 29 2014, 7:54 AM |Tue, Aug 19 |
+--------+-------+----+---------------------+------------+

There are less informations than on Github though.

--
Antoine "hashar" Musso


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: logging out on one device logs user out everywhere

Krinkle
In reply to this post by Chris Steipp
I think generally user's expectation (and imho desirable behaviour in general[1]) is that logging out one session, does not affect other sessions.

However I think it's a valid use case to be able to invalidate other sessions remotely (e.g. you lost control over the device or it's inconvenient to get at), as well as being able to invalidate all other sessions (paranoia, convenience, clean slate, or " I can't remember what device that bloke had when I needed to check my e-mail and forgot to log out").

Both Gmail and Facebook currently implement systems like this.

On Gmail, you have a footnote "Last account activity: <time ago>" with a details link providing an overview of all current sessions (basically extracted from session data associated with the session cookies set for your account). It shows the device type (user agent or, if not cookie based, the protocol, like IMAP/SMTP), the location and IP, and when the session was last active. It has an option to "Sign out all other session".

On Facebook, the "Security Settings" feature has a section "Where You're Logged In" which is similar. Though slightly more enhanced in that it also allows ending individual sessions.

They also have a section "Trusted Browsers" which is slightly different in that it lists sessions that are of the "Remember me" type and also lists authenticated devices that won't ask for two-step verification again. And the ability to revoke any of them.

— Krinkle

[1] E.g. not expectation based on previous negative experience with other sites.

On 23 Jul 2014, at 16:45, Chris Steipp <[hidden email]> wrote:

> On Tuesday, July 22, 2014, MZMcBride <[hidden email]> wrote:
>
>> Chris Steipp wrote:
>>> I think this should be managed similar to https-- a site preference,
>>> and users can override the site config with a user preference.
>>
>> Please no. There's been a dedicated effort in 2014 to reduce the number
>> of user preferences. They're costly to maintain and they typically
>> indicate a design flaw: software should be sensible by default and a user
>> preference should only be a tool of last resort. The general issue of user
>> preferences-creep remains particularly acute as global (across a wikifarm)
>> user preferences still do not exist. Of course in this specific case,
>> given the relationship with CentralAuth, you probably could actually have
>> a wikifarm-wide user preference, but that really misses the larger point
>> that user preferences should be avoided, if at all possible.
>>
>> I'll start a new thread about my broader thoughts here.
>>
>
> I think we have too many preferences also, no disagreement there.
>
> But like Risker, I too want to always destroy all my sessions when I logout
> (mostly because I log in and out of accounts a lot while testing, and I
> like knowing that applies to all the browsers I have open). So I'm biased
> towards thinking this is preference worthy, but I do think it's one of
> those things that if it doesn't behave as a user expects, they're going to
> think it's a flaw in the software and file a bug to change it.
>
> I'm totally willing to admit the expectations I have are going to be the
> minority opinion. If it's a very, very small number of us, then yeah,
> preference isn't needed, and we can probably get by with a gadget.
>
> Your proposal for account info and session management is good too. I hope
> someone's willing to pick that up.
>
>
>
>>
>> MZMcBride
>>
>>
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> [hidden email] <javascript:;>
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
12