-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for multiple accounts under the new authentication scheme #138
Comments
Yeah this is indeed a Problem. It took me some time to finish #131 (comment) first :(. All new features are now implemented for |
That's awesome -- thanks again for all the hard work, I hope you don't On 24 April 2016 at 11:29, Mark Friedrich notifications@github.com wrote:
|
Oh no, I appreciate our feedback! Unfortunately I don´t have the time to play a lot, therefore user feeback is very important for me! How it works
Technical informationAfter reading a lot about "long term User authentication" and security concerns, I really liked the way described in this article "Implementing Secure User Authentication in PHP".(awesome article!)
Cookie verification process
|
I'm glad the article was helpful; from a security standpoint your implementation looks solid but I'll have a closer look today as it's not currently working for me (possibly because you set the cookie via javascript instead of PHP and I have some addons running). Would it be possible to set a default character so that when you land on the homepage you get automatically logged in? You could then use the character selector at the top to switch accounts as well. |
Hmm, I might be crazy, but I only see the EU legislation cookie actually being set in your commit? None of the char_ cookies appear to being set at all. I'm also not convinced that the EU legislation cookie is actually still a legal requirement. EDIT: Nevermind. It was an addon. The only thing you're missing that I see from a security perspective is the ability to revoke cookies. Clicking the "Logout" menu item should destroy the cookies and remove them from the character_authentications database table. You can destroy a cookie by setting it's expiry in the past as in:
Given that a logon gets you CREST access to the users location, you should add a menu item that destroys all authentication tokens for that character. That way a user can choose to make all the cookies that are out there in the wild (potentially on other computers, Internet cafes, etc) invalid from any current logon session. |
The first cookie (which is set when you confirm the "set cookie" hint at the bottom) is set by javascript. The characters you see on the homepage are already "verified" and updated by CREST, by checking your cookies. This is done by Ajax requests for each character cookie on I´m not completely done with this task. There are still some things missing:
|
…cURL caching, and SESSION management) - #138 added "cookie logout" to "logout" menu entry
dfd1e85 Added new "cookie logout" functionality. -> If you manually logout (click on the menu entry), all server-side stored cookie information are deleted, too. If you get automatically logged out (e.g. on server errors), your login cookies are still active.
If there is already someone else logged in (with an active SESSION), he will logged out as soon as |
I woulds suggest making the Accept cookies notice a bit bigger and more obvious. |
This is a big thing missing when moving to centralised CREST SSO. Scouts have multiple accounts and alternate between them: having to logout and relogin constantly is a massive hindrance to usability.
We need a way to associate a Pathfinder login with multiple accounts.
The text was updated successfully, but these errors were encountered: