New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web client stayed logged in when using multiple tabs #2347
Comments
Yikes! |
This shouldn't be weird really? Web client uses an OAuth access token. While your page is open, the access token stays the same so you can keep using the API. If you reload the page you won't have access to the access token anymore. |
This might be worse than previously thought. On iOS Safari I can do the following:
…and be able to toot/favorite/boost without having to enter any credentials. This has to do with Safari saving the page state along with browsing history, and I believe Firefox/Chrome do something similar. As far as I can tell, this means that in order to prevent someone else from gaining complete access to their account, a user on a shared device would have to either (a) reset the browser (i.e. clear history, cookies, and any saved window/tab state) when finished using Mastodon, or (b) only ever use Mastodon with private browsing and close the tab after logging out. |
So uh.. I guess we could store the access token in a cookie then? Instead of having it in the HTML. |
Regardless of where the access token is stored, shouldn't it be invalidated on the server side when the user logs out, per https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Manual_Session_Expiration ? |
When you logout, session also destroys the access token, so it's no longer valid. If access token is destroyed some other way, the session is also destroyed, requiring a re-login. Fix #1681 - Add scheduler to remove revoked access tokens and grants
* Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test * Fix #2347 - Bind web UI access token to session When you logout, session also destroys the access token, so it's no longer valid. If access token is destroyed some other way, the session is also destroyed, requiring a re-login. Fix #1681 - Add scheduler to remove revoked access tokens and grants * Fix test
Signed-off-by: Plastikmensch <plastikmensch@users.noreply.github.com>
Steps to replicate:
Expected: Error message, or first tab client logs out
Actual: Toot is successfully published from the first account
master
(If you're a user, don't worry about this).The text was updated successfully, but these errors were encountered: