[Koha-bugs] [Bug 18549] There should be a warning that logging out of Koha will leave browser session logged in to OAuth

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18549

--- Comment #9 from M. Tompsett <mtompset at hotmail.com> ---
(In reply to Martin Renvoize from comment #6)
> I think this bug is somewhat misleading to the user, unfortunately.
[SNIP]
> I think the current (as in, in master) implementation is more 'the norm'

It is. The problem is that if users walk away, someone else can click 'login'
and become the person who just left.


> and that adding this patch actually obfuscates that clarity a bit more.

That's what the whole dialogue message is supposed to make clear. If your
objection is with the explanation, then feel free to suggest alternative
wording.


> By allowing a 'logout of google too' option, you're inferring
> that a google logout affects koha in some way, when in fact it
> does not.

No, I am implying that by choosing that option, other google related
tabs/windows in the same browser may be affected. You inferred incorrectly, so
clearly the dialogue message needs tweaking, because 'Koha and Google' is the
button name, not what you are logging in and out of manually in random order.

TAB A: GMail
TAB B: Koha OPAC logged in via OAuth
Click logout in OPAC.
Get dialogue (because you've applied this patch)
Click 'Koha and Google' your TAB A will be affected, and you will be forced to
relogin in to continue reading your GMail.
But if you click 'Koha only', TAB A is not affected, but you suffer the next
user can become you problem when the next person clicks the Koha OPAC login.

I suspect this is why people go with the most complex and horrid iframe
solution, because that may do some authorization revoking without actually
logging out and thus not have the potential identity theft issue.

-- 
You are receiving this mail because:
You are watching all bug changes.