Logging out of Launchpad doesn't really log you out

Bug #568106 reported by Francis J. Lacoste on 2010-04-21
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Gary Poster

Bug Description

If you log out of Launchpad to log in as sombody else, the next time you click log in, you'll be automatically logged in as the user you authenticated before.

To really log in as somebody else, you need to go to login.launchpad.net and also log out there.

Related branches

Guilherme Salgado (salgado) wrote :

Bug 329178 is somewhat related.

Guilherme Salgado (salgado) wrote :

I think this happens because when you authorize the OP to send your details to Launchpad, the OP stores that authorization and keep it valid for some time, so the next time you login the OP will send your account details without asking for your permission.

AFAIK, the only thing that Launchpad could do is to tell the OP to always require the user to *authenticate*, but I'm not sure that's what we want.

Assuming I understand the problem you're describing ... as a short-term fix, you can redirect your users on logout to https://login.launchpad.net/+logout. This isn't a perfect UX because there's currently no direct way back to the calling site but it seems to be working as a temporary fix for U1. We're working on a better longer-term fix.

Gary Poster (gary) on 2010-04-23
summary: - Loggin out of Launchpad doesn't really logs you out
+ Logging out of Launchpad doesn't really log you out
Gary Poster (gary) wrote :

I think we ought to do what Stuart suggests, quickly.

I have some inconclusive thoughts on a longer-term solution, following.

Since we are hoping to switch to HTTP for much of Launchpad, we have been contemplating making HTTP session cookies last only a day or less (while HTTPS session cookies might last much longer, as they do). This would mitigate the risk of stolen session cookies.

If we did that, when an OP still thinks that a user is logged in and Launchpad has timed out an HTTP session, I would like the OP to re-authenticate the Launchpad session without user interaction. That is, it would just do the redirect dance *without* requiring the user to click "OK" again. This would make more frequent Launchpad HTTP re-authentication much less painful.

However, if a user explicitly logs out of Launchpad, it would be reasonable to force the OP to re-authenticate the next time the user logs in.

Is there any way to make this story work, other than the short-term solution we will be implementing per Stuart's suggestion? Does anyone disagree on my goals?

I don't see

Changed in launchpad-foundations:
status: New → Triaged
importance: Undecided → High
Changed in launchpad-foundations:
assignee: nobody → Gary Poster (gary)
milestone: none → 10.05
status: Triaged → Fix Committed
tags: added: qa-needstesting
tags: added: qa-ok
removed: qa-needstesting
Changed in launchpad-foundations:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers