Closed Bug 864886 Opened 7 years ago Closed 7 years ago

Logging out of a site in one tab should log you out in any other tabs as well

Categories

(Core Graveyard :: Identity, defect)

22 Branch
All
Gonk (Firefox OS)
defect
Not set

Tracking

(blocking-b2g:leo+, firefox22 wontfix, firefox23 fixed, b2g18 fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 wontfix, b2g-v1.1hd fixed)

RESOLVED FIXED
mozilla23
blocking-b2g leo+
Tracking Status
firefox22 --- wontfix
firefox23 --- fixed
b2g18 --- fixed
b2g18-v1.0.0 --- wontfix
b2g18-v1.0.1 --- wontfix
b2g-v1.1hd --- fixed

People

(Reporter: jedp, Assigned: jedp)

References

()

Details

(Whiteboard: [qa+][fixed-in-birch][mozilla-triage])

Attachments

(1 file, 1 obsolete file)

Reported by Ed in https://github.com/mozilla/browserid/issues/3284

I'm on Inari with sha: a5a95f7f
1. goto native.123done.org in 1 tab and sign in
2. do the same for another tab
3. log out of one of the tabs
4. look at the other tab

result: you are not automatically logged out.
expected: you should get logged out.
work around: if you hit refresh, you will be logged out.
I expect this may have broken when we made the persona process non-permanent in bug 839500.
No, that's wrong.  This has nothing to do with the persistence of the iframe.  This has to do with localStorage listeners being in a different frame altogether from the RP.
Assignee: nobody → jparsons
Tested on b2g desktop build with native.123done.org in multiple tabs.

Confirmed that logging in and out of UI Tests -> navigator.mozId test page doesn't log you out of other origins.
Attachment #743683 - Flags: review?(benadida)
Attachment #743683 - Flags: review?(benadida) → review+
Looks like B2G Arm (VM) opt xpcshell tests are failing.  Looking into it.
Found a glitch - rp flows needed to be deleted on unwatch()
Added tests for multiple logout
Attachment #743683 - Attachment is obsolete: true
Whiteboard: [qa+]
Ready to land in m-c.  If it looks good, I will request a=leo+
Keywords: checkin-needed
https://hg.mozilla.org/projects/birch/rev/c29ff6b56977
Flags: in-testsuite+
Keywords: checkin-needed
Whiteboard: [qa+] → [qa+][fixed-in-birch]
https://hg.mozilla.org/mozilla-central/rev/c29ff6b56977
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
blocking-b2g: --- → leo?
Triage: Leo didn't feel they had enough information to make a call on blocking status for this bug.

Can you explain more fully the user impact if this patch doesn't land and the level of risk of taking it? Is there a security risk where users would be able to carry out actions they should no longer be authenticated to carry out?
Flags: needinfo?(jparsons)
Whiteboard: [qa+][fixed-in-birch] → [qa+][fixed-in-birch][mozilla-triage]
(In reply to Ben Francis [:benfrancis] from comment #11)
> Triage: Leo didn't feel they had enough information to make a call on
> blocking status for this bug.
> 
> Can you explain more fully the user impact if this patch doesn't land and
> the level of risk of taking it? Is there a security risk where users would
> be able to carry out actions they should no longer be authenticated to carry
> out?

Hi, Ben,

Yes, there is a potential security impact for users.  Users would think they had logged out of persona for a given origin in the browser app (or any app that has tabs in it), but other tabs to the same origin would not receive the corresponding logout message they should.  This could lead to a different person using a device and being able to view sensitive information, or, depending on how the site in question manages sessions, manipulate the original user's data.  So refreshing the page isn't a great workaround, since you would have to know to do that in the first place, and know how many pages there were to refresh.

I think the risk to landing the patch is low.  Basically, we're just going through the list of origins here that are the same as the one the user is logging out of and firing the onlogout callback on each.  

(On a regular desktop browser, this takes care of itself, because the localstorage events are received by each window with a persona login, and persona reacts to sign-in status changes, firing the onlogout callback in tab open to the same origin; the b2g model is different, both for windows and localStorage, and we unfortunately missed this case the first time around.)

Thanks!
j
Flags: needinfo?(jparsons)
blocking-b2g: leo? → leo+
Splendid.  Thanks.
Flags: in-moztrap?
UCID: BROWSER-085
Flags: in-moztrap? → in-moztrap+
(In reply to Angela Hubenya from comment #16)
> UCID: BROWSER-085

The test case here is incorrect. This is talking about persona login specifically, not generally. There's a significant difference in the test workflow being executed here.
Flags: in-moztrap+ → in-moztrap?
(In reply to Jason Smith [:jsmith] from comment #17)
> (In reply to Angela Hubenya from comment #16)
> > UCID: BROWSER-085
> 
> The test case here is incorrect. This is talking about persona login
> specifically, not generally. There's a significant difference in the test
> workflow being executed here.

The test case could be something like this, perhaps:

1. In a browser tab, sign in to firefoxos.123done.org
2. In another browser tab, sign in to firefoxos.123done.org
3. Return to the first browser tab and logout of 123done
4. Return to the second browser tab

Expect to see that you were logged out; no page refresh necessary
Ok thanks, I will create another test case
(In reply to Angela Hubenya from comment #19)
> Ok thanks, I will create another test case

Okay. Looks good on the updated test case.
(In reply to Angela Hubenya from comment #19)
> Ok thanks, I will create another test case

Angela, thanks for being on top of this!
(In reply to Jed Parsons [:jedp, :jparsons] from comment #21)
> (In reply to Angela Hubenya from comment #19)
> > Ok thanks, I will create another test case
> 
> Angela, thanks for being on top of this!

No problem :)
Whiteboard: [qa+][fixed-in-birch][mozilla-triage] → [qa+][fixed-in-birch][mozilla-triage], leorun3
Whiteboard: [qa+][fixed-in-birch][mozilla-triage], leorun3 → [qa+][fixed-in-birch][mozilla-triage]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.