Lots of great discussion and ideas here. Who's up for taking this on as a challenge or mentoring someone to do it?
--tomasz
On Wed, Jul 23, 2014 at 11:01 AM, Krinkle krinklemail@gmail.com wrote:
I think generally user's expectation (and imho desirable behaviour in general[1]) is that logging out one session, does not affect other sessions.
However I think it's a valid use case to be able to invalidate other sessions remotely (e.g. you lost control over the device or it's inconvenient to get at), as well as being able to invalidate all other sessions (paranoia, convenience, clean slate, or " I can't remember what device that bloke had when I needed to check my e-mail and forgot to log out").
Both Gmail and Facebook currently implement systems like this.
On Gmail, you have a footnote "Last account activity: <time ago>" with a details link providing an overview of all current sessions (basically extracted from session data associated with the session cookies set for your account). It shows the device type (user agent or, if not cookie based, the protocol, like IMAP/SMTP), the location and IP, and when the session was last active. It has an option to "Sign out all other session".
On Facebook, the "Security Settings" feature has a section "Where You're Logged In" which is similar. Though slightly more enhanced in that it also allows ending individual sessions.
They also have a section "Trusted Browsers" which is slightly different in that it lists sessions that are of the "Remember me" type and also lists authenticated devices that won't ask for two-step verification again. And the ability to revoke any of them.
— Krinkle
[1] E.g. not expectation based on previous negative experience with other sites.
On 23 Jul 2014, at 16:45, Chris Steipp csteipp@wikimedia.org wrote:
On Tuesday, July 22, 2014, MZMcBride z@mzmcbride.com wrote:
Chris Steipp wrote:
I think this should be managed similar to https-- a site preference, and users can override the site config with a user preference.
Please no. There's been a dedicated effort in 2014 to reduce the number of user preferences. They're costly to maintain and they typically indicate a design flaw: software should be sensible by default and a user preference should only be a tool of last resort. The general issue of user preferences-creep remains particularly acute as global (across a wikifarm) user preferences still do not exist. Of course in this specific case, given the relationship with CentralAuth, you probably could actually have a wikifarm-wide user preference, but that really misses the larger point that user preferences should be avoided, if at all possible.
I'll start a new thread about my broader thoughts here.
I think we have too many preferences also, no disagreement there.
But like Risker, I too want to always destroy all my sessions when I logout (mostly because I log in and out of accounts a lot while testing, and I like knowing that applies to all the browsers I have open). So I'm biased towards thinking this is preference worthy, but I do think it's one of those things that if it doesn't behave as a user expects, they're going to think it's a flaw in the software and file a bug to change it.
I'm totally willing to admit the expectations I have are going to be the minority opinion. If it's a very, very small number of us, then yeah, preference isn't needed, and we can probably get by with a gadget.
Your proposal for account info and session management is good too. I hope someone's willing to pick that up.
MZMcBride
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org javascript:; https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l