Topics

moderated Your Subscription link in email footer opens other account subscription page #bug


Andy Wedge
 

Hi Mark,

this may be an anomaly due to the way I'm testing but I thought I'd mention it anyway.

From my 'owner' account using the web UI I send a message to my testing subgroup. When I open the email received by my 'member' account in that group and click on the Your Subscription link in the footer, I get a new Browser tab (I'm using FF) showing the subscription options for my 'owner' account.

If I initially click on the Follow This Topic link in the footer, it detects that this relates to a different account and I get presented with a login screen for that. It's the initial click on Your Subscription where this account detection mechanism doesn't seem to work.

Regards,
Andy


Jim Wilson
 

I agree this is a bug since the system should have noticed the link for "Your Subscription" (which contains the id number of the intended subscriber constructed as https://groups.io/g/[group name]/editsub/[id number]) was for a different subscriber number than the account that was currently logged on. I would say an automatic logout would be appropriate for safety and security reasons.

However, after sending the message from the 'owner' account for testing purposes, one should log out before opening an email intended for a 'member' account to properly replicate a real-world scenario.

--
Jim


Andy Wedge
 

On Mon, Jun 22, 2020 at 01:55 PM, Jim Wilson wrote:
to properly replicate a real-world scenario.
My real-world scenario involves me being logged in with 3 different accounts at the same time on 3 different browser tabs, I don't need to logout to switch accounts, I just switch tabs.

Andy


Jim Wilson
 

That is not the way to test among several accounts. It is very unreliable and/or unpredictable because the login is cached for the entire browser, not individual tabs.

The proof is that, after fully logging out, close and reopen the browser. Visit https://groups.io/ and login with a member account. Then open another tab and visit https:/groups.io/ in that tab and you will see you are automatically logged in as the same member as the first tab because the session is maintained for the entire browser window. Further proof is that logging out with the second tab will log you out on the first tab.

In other words, the only way to create reliable isolation is to use two (or more) browsers (such as Chrome and FF) or simply login and logout with a single browser.
--
Jim


Duane
 

On Tue, Jun 23, 2020 at 07:39 AM, Jim Wilson wrote:
the only way to create reliable isolation is to use two (or more) browsers
The latest versions of browsers, at least Firefox, allow you to open multiple private tabs that are totally isolated, so your logic would no longer apply.  I've only used them for testing as it can get quite confusing.

Duane


Jim Wilson
 

Sorry, Duane, that's not true.

I just tested it with FF and the exact same thing happens with multiple tabs in a private window as well as multiple private windows. That means session information is still shared among multiple private tabs and even multiple private windows. That also means you should not force a logon for a different user in another tab or second window because it risks corrupting the entire session in an unpredictable manner.

Having said all that and having checked FF docs which indicate session information is compartmentalized between primary and private windows, I tested with a regular FF window logged into GIO as "Member A" and then opened a separate private window addressed to GIO and it clearly showed it was not automatically authenticated as Member A. So, in that singular scenario, it would appear to create two isolated sessions correctly. I still wouldn't recommend it, though.

I contend it is far easier and far more reliable to use an alternate browser for concrete session isolation.
--
Jim


Andy Wedge
 

On Tue, Jun 23, 2020 at 02:40 PM, Jim Wilson wrote:
I contend it is far easier and far more reliable to use an alternate browser for concrete session isolation.
I use Firefox Multi-Account Containers which keeps cookies and session details isolated between tabs.




No need for multiple browsers and different windows. I use a different coloured tab for each login (Owner/Mod/Member). Simple and effective.

Andy


Jim Wilson
 

Ok, then. Could have mentioned that already. 😐

Thanks for the update, though. I'll have to check that out.
--
Jim