[openstreetmap/openstreetmap-website] "Remember me" can lock a user into OAuth flow (#3103)

[Richard Fairhurst]

P3 uses a popup OAuth window for users to authenticate with OSM.

If the user clicks "Remember me" on osm.org when first authenticating, then that login becomes a long-living cookie (which AIR stores in the system cookie store, i.e. as used by IE or Safari).

If the user subsequently clicks "Log out" from P3's Connection prefs, then P3 deletes the OAuth user token/secret and won't use them to authenticate next time.

However, when the user next tries to save and the popup OAuth window opens, the "Remember me" cookie is still there. So osm.org goes straight to the "Authorize access to your account" page and says "The application Potlatch 3 is requesting access to your account, Richard." Which is a problem if what you actually wanted to do is log in with another account.

Couple of possible solutions:

- Drop the "Remember me" box from the OAuth login page
- Provide a "Log in as a different user" link on the "Authorize access" page

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3103
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210217/0064dc5e/attachment.htm>