Logging in will log out all other devices

[Colonel_mortis]

And apparently, that is not a bug. Currently, the login & auth flow works like this:

• Logging in gives you auth cookies that are valid for one week - auth cookies consist of a member ID and a random string that is unique to your account (but all sessions logged into your account keep the same cookie).
• Every time you visit the site again while the cookies are still valid, the expiry on the cookies is refreshed, so you will stay logged in for another week.
• If you log into another device after the original week grace period, you will log out all other sessions, because the value for the auth cookie is regenerated.
• If you want to log out all other sessions, you need to either change your password (that makes perfect sense) or log into another device (wtf?!). Logging out of any one device will also log you out of the others, but that is a bug that is marked as fixed in 4.1.12.

Lets compare it to Facebook's, as I understand it:

• Logging in gives you auth cookies that are valid for three months - auth cookies consist of a member ID and a pseudo-random string that uniquely identifies that browser.
• Every time you visit the site again while the cookies are still valid, the expiry on the cookies is refreshed, so you will remain logged in for another three months.
• If you log into another device at any time, nothing happens to your other sessions, but the new device gets a different pseudo-random string identifier, and you can opt to be emailed to tell you about the new login.
• If you want to log out all your other sessions, you need to go into settings and click "End All Activity", or "End Activity" on the row related to the login session that you want to terminate. No need to log out of all devices - you can just log out of the one device that has been compromised.

How I think it should work, which would require minimal changes to your code, and would make the user experience much better:

• When you log in, it should not log out other sessions, no matter what. Users do not expect other sessions to be logged out when the log in, so it is completely pointless from a security standpoint (have you ever left a device logged in somewhere and thought "I know, lets log into another device to log that one out"? I didn't think so. Not that it would work anyway, because that device would probably have logged in within the past week anyway).
• Changing or resetting your password should still log out all active sessions.
• A button in user settings to log out all active sessions.
• Login cookies should last longer than a week by default. "Remember me" should actually make it remember you. A month would be sensible, or you could make it an admin-configurable option (though possibly set an upper limit at somewhere like a year).

It would be nice if you also supported the tracking of separate logins, so each login gets its own unique token, and can then be terminated individually, but I know that would take a fairly large amount of work. If not, it would be amazing if you could make it hookable by abstracting the member loading on line 148+ of \IPS\Session\Front into a separate function, so it can be hooked. It's fairly easy to override the initial setting of the cookies following a login, but far more difficult to hook the checking of the cookies to log the member back in. If you do abstract it, abstracting the do login part of the checkout login would probably be a good idea, or, even better, leave it to the actual login form.

Login alerts would be nice too, but they can also be achieved using a membersync extension.

[Colonel_mortis]

This has been marked as complete, but, unless it's in an unreleased version, that isn't the case - in \IPS\Session\Front::setMember, you still run checkLoginKey on the member, which will reset their login key if it has "expired" (aka if it's been over 7 days (which is no time at all)).

[Apfelstrudel]

I totally agree. That's the way it should be!

[Apfelstrudel]

If it's marked as "completed" when and in which upcoming version can we expect the fix?

Our users get crazy everytime the permanent login on other devices disappears.

[iacas]

My members have complained of this same thing. Logging in to a new device (or a new browser on an existing device) should not log you out of other devices.

[Colonel_mortis]

@Lindy this has been marked as complete, but the main point, that it is quite frankly absurd that you would be logged out if you log into another device, has not been addressed at all (and there don't seem to be any other points in that post that didn't include links to bug reports that have been changed either). This "feature" has made me not bother to log into IPS sites on a new device, because I do not want to have to be bothered to have to re-log into every single other device that I am currently logged into.

[craigf136]

You should be able to be logged in on multiple devices, it has been a bug bear of mine and our users ever since IPS 4 was released.

[Lindy]

This was mistakenly marked as completed when a note was added. It will be addressed in a future version so you're only logged out if you change your password. 

[Lindy]

This was addressed in tandem with the 90 day session change in 4.1.15.

[Colonel_mortis]

26 minutes ago, Lindy said:

This was addressed in tandem with the 90 day session change in 4.1.15.

... no it wasn't.

Steps to reproduce:

1. Log in to a device
2. Wait 180 days (much, much better, but still not fixed)
3. Log in to another device
4. Check the device where you first logged on, and discover that you are now logged out.

This "security" feature adds no security at all, and just severely annoys users.

[Charles]

It is reasonable that after 180 days you would be required to re-authenticate other devices.

[Colonel_mortis]

Just now, Charles said:

It is reasonable that after 180 days you would be required to re-authenticate other devices.

If you've not used them, yes. If you've been continually using them, then get logged out because you log into a new device, that is not OK.

Whatever, it doesn't affect me, because I made a plugin to provide the behaviour that my users expect.

[TSP]

2 minutes ago, Charles said:

It is reasonable that after 180 days you would be required to re-authenticate other devices.

The behavior is unexpected to users. Because if you're still using device 1 on day 179, and then on day 181 you log in with device number 2, it logs them out from device number 1. Where as if I hadn't logged in with device 2 on day 181, I would still be logged in with device number 1 on day 182. 

The behavior feels buggy and users are saying so as well. This behavior provides no clear explanation to the end user why logging in to other devices will sometimes cause them to be logged out from all other devices, while other times it will not.  

The fact the timeout of the cookie was 7 days was never the real issue here.

[Lindy]

Do you have any feedback you can point to from your users? I've polled internally and not a single person has had this come up in a ticket. Not really wanting to tinker with this based on "I logged into my iPhone 6 months ago, then used my linux desktop 5 months ago, logged in with my android an hour ago, then went back to my iPad, did the hokey pokey and now I'm logged out of everything!" 

It's not that big of deal in my mind. I get logged out of Facebook on occasion, I briefly think "that's strange", login and carry on with life. Sometimes we overthink things. 

[Joy Rex]

2 hours ago, Charles said:

It is reasonable that after 180 days you would be required to re-authenticate other devices.

With no activity on said device, yes - if you are using said device, you should never be logged out except when account credentials are changed or logging out is done on purpose.

2 hours ago, Colonel_mortis said:

If you've not used them, yes. If you've been continually using them, then get logged out because you log into a new device, that is not OK.

Whatever, it doesn't affect me, because I made a plugin to provide the behaviour that my users expect.

@Colonel_mortis Is this plugin available in the Marketplace?

[Colonel_mortis]

41 minutes ago, Lindy said:

Do you have any feedback you can point to from your users? I've polled internally and not a single person has had this come up in a ticket. Not really wanting to tinker with this based on "I logged into my iPhone 6 months ago, then used my linux desktop 5 months ago, logged in with my android an hour ago, then went back to my iPad, did the hokey pokey and now I'm logged out of everything!" 

It's not that big of deal in my mind. I get logged out of Facebook on occasion, I briefly think "that's strange", login and carry on with life. Sometimes we overthink things. 

Yes, I have (frequently enough in fact that some people have been copying my response from one topic to the next, to avoid me having to reply).

https://linustechtips.com/main/topic/636640-please-stop-signing-me-out-on-desktop-when-i-sign-in-on-mobile/

https://linustechtips.com/main/topic/643184-change-active-sign-in-to-three/

https://linustechtips.com/main/topic/639648-increase-max-simultanious-client-count/

https://linustechtips.com/main/topic/657350-stay-logged-in-on-different-os-boots-same-pc/

None of them are super recent topics because I fixed it to work properly.

It's probably not come up in a ticket because who would submit a ticket just because someone got logged out (because it is not at all obvious why you are being logged out), particularly when they can log back in and everything seems fine.

Just because someone hasn't reported something, doesn't mean they aren't affected by it. I was very annoyed by this issue for quite a while before I actually got around to reporting it. Look at the responses to this thread for an example.

And your example is not what I was talking about at all.

• I log into my iPhone on the 1st January
• I log into Chrome on my Windows desktop on the 3rd January
• I use my iPhone and Chrome Windows regularly, including on the 5th July, when I am still logged in
• On the 6th July, I decide to try Microsoft Edge, and log into the site there. I quickly get annoyed by the editor not working correctly on Edge, and switch back to Chrome
• Unfortunately, because I logged into Edge, I am now logged out of Chrome and my iPhone. I've already got annoyed at the site because of my editor issues in Edge, so I just give up and don't use the site again.

 

As I said though, whether you fix it or not is irrelevant to me, since I have fixed it myself, and have a concerning feeling that I will end up fixing everything from now on.

5 minutes ago, Joy Rex said:

With no activity on said device, yes - if you are using said device, you should never be logged out except when account credentials are changed or logging out is done on purpose.

@Colonel_mortis Is this plugin available in the Marketplace?

Not currently, because I think Lindy will just point people to that plugin rather than fixing this issue, but if things don't improve, I will publish it.

[Joy Rex]

I'm of two mindsets with plugins - on one hand, I appreciate the additional functionality they offer, but ones that seemingly "fix" or "restore" features back into the product that either were there in 3.4.9 and taken out in 4.1 are kinda annoying from a forum owner standpoint.

You either accept that lost functionality, or you rely on an addon that potentially could break with a future update or worse, gets abandoned by the developer.

Not trying to tell IPS how to run their business, but perhaps there should be more community involvement in deciding what features should be incorporated into the core product (with IPS having the final say of course) via a community vote or similar.

Not only would it engender goodwill amongst the paying customer base, but also make the product better and could be used to justify staffing priorities internally.

[sudo]

I have to say I am completely with @Colonel_mortis on his points. I think the facebook system is best albeit more complex to implement but failing that we should at least be able to disable the feature that logs all devices out after logging in X days into the future. I dont think it adds anything and will only cause issues for my userbase. Please at least let us configure the mode to allow those who dont want this to disable it. If you change your password you should naturally be logged out of everything but failing that I wouldnt want it to happen without user action.

[Admonstrator]

On 3.10.2016 at 11:34 PM, Colonel_mortis said:

Not currently, because I think Lindy will just point people to that plugin rather than fixing this issue, but if things don't improve, I will publish it.

Any idea how long we have to wait until the "things don't improve" point is reached? 

[Colonel_mortis]

Just now, Admonstrator said:

Any idea how long we have to wait until the "things don't improve" point is reached? 

A while ago, but I'm not able to do anything with it at the moment because it's on a computer that I don't currently have access to. When I have some time, I will see whether I can obtain it from elsewhere or recreate it, but I don't have any time at the moment.

[Admonstrator]

17 minutes ago, Colonel_mortis said:

A while ago, but I'm not able to do anything with it at the moment because it's on a computer that I don't currently have access to. When I have some time, I will see whether I can obtain it from elsewhere or recreate it, but I don't have any time at the moment.

So we are waiting for 3 points right now?

1. The "things don't improve" point
2. The "got back to my computer" point
3. The "have some time" point

 No, it's okay... I'm still in hope that IPS will fix this bug asap. 

[MYGNRFORUM]

I can point to at least 5 threads on our forum that users have raised regarding this issue, with multiple responses. The staff also get PMs about it regularly. The current fix we give is to spam the refresh button, but it would be great to get this properly resolved.

From my perspective we have never raised a ticket because the issue is so difficult for members to describe. It's vague, inconsistent and the sort of ticket you feel a bit helpless sumitting. 

Also I'm not sure if it's related, but sometimes members will click into a forum and be shown a version from weeks (or even months) ago - old posts, with their old notifications, etc. They hit refresh and it's back to normal. I had suspected there was some kind of caching problem (browser related), but it never used to happen. We're hosted with Invision and the only significant thing I could think that could co-incide with the issue was their server move (to AWS?) within the past 12 months.
I note that Sheffielder appears to describe the exact same issue (in addition to the logout problem) in post #5 of this thread, but haven't seen anyone else post about it before. I can confirm we are seeing both issues: 

 

[Colonel_mortis]

The plugin to fix this absurdity has been published on the marketplace (actually it was published a while ago, but I've had several requests for it so I figured I should probably post it in here too).

 

[Simon Woods]

I've never known logging in to cause such stress since, like, the last decade. Once every 6 months? Some of these kids need to take a breath.

[TSP]

On 8.3.2017 at 3:11 PM, Colonel_mortis said:

The plugin to fix this absurdity has been published on the marketplace (actually it was published a while ago, but I've had several requests for it so I figured I should probably post it in here too).

I thank you for this plugin that is a plugin you should not have needed to make in order to resolve an absurd feature decision.

Now, if only IPS could install it on their own board, so I don't have to deal with the sillyness on here either...