[OpenStreetMap] #5028: "remeber me" does not keep the user logged in

OpenStreetMap trac at noreply.openstreetmap.org
Sat Nov 16 11:09:46 UTC 2013


#5028: "remeber me" does not keep the user logged in
--------------------------+-------------------------
  Reporter:  aseerel4c26  |      Owner:  rails-dev@…
      Type:  defect       |     Status:  new
  Priority:  minor        |  Milestone:
 Component:  website      |    Version:
Resolution:               |   Keywords:  cookies
--------------------------+-------------------------

Comment (by TomH):

 Thanks for figuring that out... I'm guessing I already had an
 _osm_username cookie when they introduced that feature to NoScript and
 hence I never saw this because it's so long lived.

 I don't think there's a good solution, other than allowing https more
 widely, which we're already working on, or dropping the _osm_username
 cookie which, strictly speaking, shouldn't be needed.

 The history of this is that back when we upgraded to rails 3.1 there was
 an odd issue going on, which I never got to the bottom of, where sessions
 were getting mixed up and people were appearing to be logged in as other
 people, which obviously wasn't good. So I added a double check in
 [changeset:5bc3054/rails] which stores the username in an additional
 cookie and cross checks it against the session on future requests.

 Having said that, the logs don't seem to show it actually being triggered
 these days, other than a few misfires when somebody changes their
 username, so maybe we can get rid of it now.

-- 
Ticket URL: <https://trac.openstreetmap.org/ticket/5028#comment:6>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world



More information about the rails-dev mailing list