Last modified: 2011-03-13 18:05:26 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T3548, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 1548 - Security: no forced logout on multiple logins
Security: no forced logout on multiple logins
Status: RESOLVED WONTFIX
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Lowest enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-17 12:25 UTC by Hemanshu Desai
Modified: 2011-03-13 18:05 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Hemanshu Desai 2005-02-17 12:25:10 UTC
MediaWiki allows people to login under same username from different computers at
the same time. This means that if I forget to logout from a computer, anyone at
that computer can access Wikipedia and pretend to be me. This is a security hazard.
Comment 1 Richard J. Holton 2005-02-17 13:13:55 UTC
I would be against this kind of feature, unless it was an individual user option.

I setup my laptop to "remember me between sessions". Basically, I never logout.
I would be very disappointed if this would mean I could not use Wikipedia from
another system.

Also, it would really do nothing to help security. If you forget to logout from
computer A, how will preventing you from logging in from computer B help?
Computer A remains open for anyone to use either way.
Comment 2 Hemanshu Desai 2005-02-20 04:17:42 UTC
(In reply to comment #1)
> I would be against this kind of feature, unless it was an individual user option.
> 
> Also, it would really do nothing to help security. If you forget to logout from
> computer A, how will preventing you from logging in from computer B help?
> Computer A remains open for anyone to use either way.

The idea is not to prevent login from computer B but if same login is from
computer B, the user from computer A should be logged off automatically... again
when you login on computer A, the login at computer B should expire so that
noone else can use it.

Hemanshu
Comment 3 Richard J. Holton 2005-02-20 05:24:51 UTC
> The idea is not to prevent login from computer B but if same login is from
> computer B, the user from computer A should be logged off automatically... again
> when you login on computer A, the login at computer B should expire so that
> noone else can use it.
>
Of course. This makes sense. However, if someone has "remember password across
sessions" checked in preferences, then this would not occur. Am I correct?
Comment 4 Antoine "hashar" Musso (WMF) 2005-03-04 13:21:55 UTC
I am totally against that feature, I use the same account on multiple
computers and browsers at home.
Users should probably remember to logout when they use their account
on another computer.
Comment 5 Tim Starling 2005-03-09 04:15:58 UTC
Changed severity to enhancement and priority to low, given the opposing comments
above.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links