Logging out JTS from one browser doesn't log out the session from another browser
I find an interesting jts authentication scenario. I am wondering if it is a defect.
The scenario is: If I open and log into JTS admin page from two browsers (like IE & Firefox), and then if I log out from one browser, I can still access the jts admin page from the other browser.
I think this is because logging out doesn't make the oauth access token expired.
This also causes another problem to an application which delegates the authentication to JTS - Logging out from JTS session will not make the user logged out from the application because the access token is still good. Then user needs to handle multiple log out in this case.
Is this a defect? Should logging out from JTS makes all access tokens belong to the user expired?
Thanks, John
The scenario is: If I open and log into JTS admin page from two browsers (like IE & Firefox), and then if I log out from one browser, I can still access the jts admin page from the other browser.
I think this is because logging out doesn't make the oauth access token expired.
This also causes another problem to an application which delegates the authentication to JTS - Logging out from JTS session will not make the user logged out from the application because the access token is still good. Then user needs to handle multiple log out in this case.
Is this a defect? Should logging out from JTS makes all access tokens belong to the user expired?
Thanks, John
One answer
I am not the expert in this area, but I think it is working as designed. A log-in is specific to a client (such as a browser). Logging out of one browser should not affect a session in another browser.
There would be some value in having a way to immediately disconnect all sessions for a user. (You might use this if you think your account is compromised and you want to stop any intruders using your account.) But it should be a separate command, not the "Logout" button.
