On Thu, Mar 3, 2011 at 12:19 PM, Sullivan, James (NIH/CIT) [C] <
sullivan(a)mail.nih.gov> wrote:
I've run into a strange issue whereby logging into
a wiki as an externally
authenticated user from one computer, then logging into the wiki from a
second computer as the same user (also externally authenticated) will log
the user out of the wiki on the first computer. This only happens with
users who are authenticating externally. Locally authenticated user
accounts (e.g., WikiSysop) are fine and can log in from many computers
without affecting each other.
I think I've tracked it down to the "user_token" field in the User table
of
the database. It changes for every login of an externally authenticated
user. It remains unchanged for local users when they login. I believe this
is invalidating the cookies of the first login by the second login changing
the value of user_token in the database and thus setting the first logged-in
user's session to anonymous (from what I could gather reading the User.php
code). My understanding is that the user_token is only changed when the
user is initially created and when the password is reset, but for my
externally authenticating users it happens at every login.
user_token is used for the "remember my login" cookie; the fact that it
resets when doing a login on a new computer/browser has been a problem for a
long time, though if a session remains open on another machine/browser it'll
stay valid.
Sounds like the external auth system being used isn't handling the regular
session authentication for some reason, and relies on setting the cookie to
match the user_token value... Is this one of the standard external auth
plugins or a custom one?
-- brion