Lots of great discussion and ideas here. Who's up for taking this on as a challenge or mentoring someone to do it?
--tomasz On Wed, Jul 23, 2014 at 11:01 AM, Krinkle <krinklem...@gmail.com> wrote: > I think generally user's expectation (and imho desirable behaviour in > general[1]) is that logging out one session, does not affect other sessions. > > However I think it's a valid use case to be able to invalidate other sessions > remotely (e.g. you lost control over the device or it's inconvenient to get > at), as well as being able to invalidate all other sessions (paranoia, > convenience, clean slate, or " I can't remember what device that bloke had > when I needed to check my e-mail and forgot to log out"). > > Both Gmail and Facebook currently implement systems like this. > > On Gmail, you have a footnote "Last account activity: <time ago>" with a > details link providing an overview of all current sessions (basically > extracted from session data associated with the session cookies set for your > account). It shows the device type (user agent or, if not cookie based, the > protocol, like IMAP/SMTP), the location and IP, and when the session was last > active. It has an option to "Sign out all other session". > > On Facebook, the "Security Settings" feature has a section "Where You're > Logged In" which is similar. Though slightly more enhanced in that it also > allows ending individual sessions. > > They also have a section "Trusted Browsers" which is slightly different in > that it lists sessions that are of the "Remember me" type and also lists > authenticated devices that won't ask for two-step verification again. And the > ability to revoke any of them. > > — Krinkle > > [1] E.g. not expectation based on previous negative experience with other > sites. > > On 23 Jul 2014, at 16:45, Chris Steipp <cste...@wikimedia.org> wrote: > >> On Tuesday, July 22, 2014, MZMcBride <z...@mzmcbride.com> wrote: >> >>> Chris Steipp wrote: >>>> I think this should be managed similar to https-- a site preference, >>>> and users can override the site config with a user preference. >>> >>> Please no. There's been a dedicated effort in 2014 to reduce the number >>> of user preferences. They're costly to maintain and they typically >>> indicate a design flaw: software should be sensible by default and a user >>> preference should only be a tool of last resort. The general issue of user >>> preferences-creep remains particularly acute as global (across a wikifarm) >>> user preferences still do not exist. Of course in this specific case, >>> given the relationship with CentralAuth, you probably could actually have >>> a wikifarm-wide user preference, but that really misses the larger point >>> that user preferences should be avoided, if at all possible. >>> >>> I'll start a new thread about my broader thoughts here. >>> >> >> I think we have too many preferences also, no disagreement there. >> >> But like Risker, I too want to always destroy all my sessions when I logout >> (mostly because I log in and out of accounts a lot while testing, and I >> like knowing that applies to all the browsers I have open). So I'm biased >> towards thinking this is preference worthy, but I do think it's one of >> those things that if it doesn't behave as a user expects, they're going to >> think it's a flaw in the software and file a bug to change it. >> >> I'm totally willing to admit the expectations I have are going to be the >> minority opinion. If it's a very, very small number of us, then yeah, >> preference isn't needed, and we can probably get by with a gadget. >> >> Your proposal for account info and session management is good too. I hope >> someone's willing to pick that up. >> >> >> >>> >>> MZMcBride >>> >>> >>> >>> _______________________________________________ >>> Wikitech-l mailing list >>> Wikitech-l@lists.wikimedia.org <javascript:;> >>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> _______________________________________________ >> Wikitech-l mailing list >> Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
