Comment 58 for bug 861171

Robert, thank you. That looks a much better design, because it provides a well-framed choice. I'd tack an "Anyway" onto the "Shut Down" button, as a hint to those who didn't read the text that something risky is about to happen.

People here have made statements of form "It's no use asking for authentication, because someone could just hold down the power button ... unless it's physically inaccessible." I don't think that logic follows. It's true that someone could just hold down the power button -- but a large percentage of people *won't* do that, because they'll realize something unexpected is going on. I suggest that security is not necessarily the only purpose of an authentication dialog, and it may not be the purpose here. Another purpose is to reduce dataloss by getting more people to pause and think about what they're about to do. And I think that more people will do that with an authentication dialog than with a vanilla confirmation dialog. The tradeoff is that an authentication dialog doesn't (with the current API, at least) allow for including a "Log Out Instead" button.

So, here is a wireframe of the single-session case, followed by wireframes of three options for the multi-session case:
A: a refinement of Robert's alternative, with "Log Out Instead", "Cancel", and "Shut Down Anyway"
B: an any-user authentication dialog, with "Cancel" and "Continue"
C: an administrator-only authentication dialog, with "Cancel" and "Continue".