Opened 15 years ago
Closed 14 years ago
#11876 closed (wontfix)
Allow the user to logout a logged in session from another computer.
| Reported by: | Dan Cooper | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Keywords: | logout, log out, other computers | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I've seen this on a few websites and I think it's a very worthwhile feature that I think would be beneficial in the django trunk. The feature would allow someone to log themselves out of another computer from the one they are sitting at. A real life example of this is when you visit an acquaintance's house, log on to a website and forget to logout. When you come back home and visit the website, you should be able to click a link that states 'log me out of other computers' which will delete all the authorisation tokens server-side apart from the one where the request is coming from. This will ensure the user stays logged in. If the acquaintance then visits that site, they will have no auth credentials and be perceived to just be a anonymous-user. I guess it's up to the website's admin to implement a logout() directly after the log out of other computers to completely remove every authorisation token from the server.
(Forgive me for not knowing how the current authorisation process works. I've tried to have a look but it's all a bit too much for me... I reckon my attempt to provide a solution would be the way that django works anyway, with the auth tokens being different upon every login)
The practicalities of implementation could be that on sign in, the user is given a randomly generated auth cookie which is unique to that login. By this i do not mean a session key, i mean that when the user comes back after >24 hrs they'd still be logged in. With these randomly generated auth cookies, it means that if a user is logged in on two computers, both will have two different auth cookies. The logout of other computers feature would delete the server-side copies of all the auth cookies apart from the one that the request is coming from.
I hope that I've explained myself properly :)
Thanks,
This would require additional database table(s) which would store the auth tokens and corresponding user ids, because Django's sessions are not tied to the User model at all.
While I can see the usefulness of this feature, there isn't anywhere in Django where it currently belongs, unless you wanted to add it to the admin application. Personally, I think it's something that should be implemented as an external feature and proved to be both widely useful and robust before being considered for inclusion into Django.