Lots of great discussion and ideas here. Who's up for taking this on
as a challenge or mentoring someone to do it?
--tomasz
On Wed, Jul 23, 2014 at 11:01 AM, Krinkle <krinklemail(a)gmail.com> wrote:
I think generally user's expectation (and imho
desirable behaviour in general[1]) is that logging out one session, does not affect other
sessions.
However I think it's a valid use case to be able to invalidate other sessions
remotely (e.g. you lost control over the device or it's inconvenient to get at), as
well as being able to invalidate all other sessions (paranoia, convenience, clean slate,
or " I can't remember what device that bloke had when I needed to check my e-mail
and forgot to log out").
Both Gmail and Facebook currently implement systems like this.
On Gmail, you have a footnote "Last account activity: <time ago>" with a
details link providing an overview of all current sessions (basically extracted from
session data associated with the session cookies set for your account). It shows the
device type (user agent or, if not cookie based, the protocol, like IMAP/SMTP), the
location and IP, and when the session was last active. It has an option to "Sign out
all other session".
On Facebook, the "Security Settings" feature has a section "Where
You're Logged In" which is similar. Though slightly more enhanced in that it also
allows ending individual sessions.
They also have a section "Trusted Browsers" which is slightly different in that
it lists sessions that are of the "Remember me" type and also lists
authenticated devices that won't ask for two-step verification again. And the ability
to revoke any of them.
— Krinkle
[1] E.g. not expectation based on previous negative experience with other sites.
On 23 Jul 2014, at 16:45, Chris Steipp <csteipp(a)wikimedia.org> wrote:
On Tuesday, July 22, 2014, MZMcBride
<z(a)mzmcbride.com> wrote:
Chris Steipp wrote:
I think this should be managed similar to https--
a site preference,
and users can override the site config with a user preference.
Please no. There's been a dedicated effort in 2014 to reduce the number
of user preferences. They're costly to maintain and they typically
indicate a design flaw: software should be sensible by default and a user
preference should only be a tool of last resort. The general issue of user
preferences-creep remains particularly acute as global (across a wikifarm)
user preferences still do not exist. Of course in this specific case,
given the relationship with CentralAuth, you probably could actually have
a wikifarm-wide user preference, but that really misses the larger point
that user preferences should be avoided, if at all possible.
I'll start a new thread about my broader thoughts here.
I think we have too many preferences also, no disagreement there.
But like Risker, I too want to always destroy all my sessions when I logout
(mostly because I log in and out of accounts a lot while testing, and I
like knowing that applies to all the browsers I have open). So I'm biased
towards thinking this is preference worthy, but I do think it's one of
those things that if it doesn't behave as a user expects, they're going to
think it's a flaw in the software and file a bug to change it.
I'm totally willing to admit the expectations I have are going to be the
minority opinion. If it's a very, very small number of us, then yeah,
preference isn't needed, and we can probably get by with a gadget.
Your proposal for account info and session management is good too. I hope
someone's willing to pick that up.
MZMcBride
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org <javascript:;>
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l