[openstreetmap/openstreetmap-website] "Remember me" can lock a user into OAuth flow (#3103)

Richard Fairhurst notifications at github.com
Wed Feb 17 21:29:51 UTC 2021

P3 uses a popup OAuth window for users to authenticate with OSM.

If the user clicks "Remember me" on osm.org when first authenticating, then that login becomes a long-living cookie (which AIR stores in the system cookie store, i.e. as used by IE or Safari).

If the user subsequently clicks "Log out" from P3's Connection prefs, then P3 deletes the OAuth user token/secret and won't use them to authenticate next time.

However, when the user next tries to save and the popup OAuth window opens, the "Remember me" cookie is still there. So osm.org goes straight to the "Authorize access to your account" page and says "The application Potlatch 3 is requesting access to your account, Richard." Which is a problem if what you actually wanted to do is log in with another account.

Couple of possible solutions:

- Drop the "Remember me" box from the OAuth login page
- Provide a "Log in as a different user" link on the "Authorize access" page

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210217/0064dc5e/attachment.htm>

More information about the rails-dev mailing list