On Thu, Mar 3, 2011 at 12:19 PM, Sullivan, James (NIH/CIT) [C] < sullivan@mail.nih.gov> wrote:
I've run into a strange issue whereby logging into a wiki as an externally authenticated user from one computer, then logging into the wiki from a second computer as the same user (also externally authenticated) will log the user out of the wiki on the first computer. This only happens with users who are authenticating externally. Locally authenticated user accounts (e.g., WikiSysop) are fine and can log in from many computers without affecting each other.
I think I've tracked it down to the "user_token" field in the User table of the database. It changes for every login of an externally authenticated user. It remains unchanged for local users when they login. I believe this is invalidating the cookies of the first login by the second login changing the value of user_token in the database and thus setting the first logged-in user's session to anonymous (from what I could gather reading the User.php code). My understanding is that the user_token is only changed when the user is initially created and when the password is reset, but for my externally authenticating users it happens at every login.
user_token is used for the "remember my login" cookie; the fact that it resets when doing a login on a new computer/browser has been a problem for a long time, though if a session remains open on another machine/browser it'll stay valid.
Sounds like the external auth system being used isn't handling the regular session authentication for some reason, and relies on setting the cookie to match the user_token value... Is this one of the standard external auth plugins or a custom one?
-- brion