MindTouch Community Portal
Logged in: Logged in as: Log in
Register
Search:
Page last modified 14:36, 9 Apr 2010 by Guerric
User:dev > Specs > Authenticated user sessions
Page Notifications Off

Authenticated user sessions

    Introduction

    Today, users may encounter logout messages when saving pages, seemingly random session logouts, and other quirky behavior due to the cookie based logins. This spec aims to determine what type of experience users can expect once they login to MindTouch.

    Intended Audience

    Core feature.

    Additional information

     

    Status

    Initial scoping by Guerric

    Functional Specification

    Use Cases

    User wants to login

    Going through the standard loging process without checking the "remain logged in" box will provide a session only login experience. After closing the browser, the user will be logged out. Additionally, the session token will be tied to the user's IP address to add an additional layer of security.

    User wants to remain logged in on the current computer

    User is presented with the standard login. A checkbox allows the user to specify that their session should not be logged out on the current machine. If the checkbox is selected, then the user should never be prompted for login again unless a global logout is performed or the next use case is encountered.

    User has not visited the site in X days & is logged out

    After a set time period, the user's long term authtoken will expire. If the user continues to visit the site every day or every X-1 days, then their session will never expire.

    User wants to logout on the current computer

    User clicks logout and is directed to the logout page. Their current session is logged out and the page provides the user with the option to logout all sessions. If the global logout is not selected, then after a short timeout, the user is redirected back to the page they came from.

    User changes their password

    Upon changing their password, all user sessions are invalidated and the user is the only authenticated session.

    Trusted Auth: User login

    TBD

    Trusted Auth: User logout

    TBD

    Non-goals

    Technical Specification

    UI requirements

    API requirements

    Auth token types

    session + ip-based - used for short term logins
    sliding expiry - used for long term logins
    short term/nonce - used for user.authtoken

    Tag page
    What links here

    Files 0

    Attach file or image
     
    Viewing 1 of 1 comments: view all
    #2
    carles.coll says:
    @Guerric - Take in mind the Active Directory Groups, I mean if you add a user to a group ( on AD not Mindtouch Interface) if you don't log out / log in you wan't get this user / group from AD information. The same if you delete / disable a User on the Active Directory ( a employer fired up ), this user will enter on Mindtouch forever :( edited 22:38, 17 May 2010
    Posted 22:36, 17 May 2010
    Viewing 1 of 1 comments: view all
    You must login to post a comment.
    MindTouch Social Knowledge Base

    Copyright © 2011 MindTouch, Inc. Powered by