Server: Missing sessions on Personal page
Steps to reproduce
- Create app tokens
- Log in via the web
- Log in via the clients
Expected behaviour
All my sessions should be listed
Actual behaviour
Only the Web session is listed
The Apps Password section shows that there is activity with the tokens
@LukasReschke @icewind1991
oparoz
All 11 comments
@oparoz do you mean active clients should be shown in the sessions section too?
ChristophWurst
on 11 Apr 2017
I guess so since the description for "Sessions" says: "Web, desktop and mobile clients currently logged in to your account"
oparoz
on 11 Apr 2017
Yeah well, to be precise it should be "desktop and mobile clients not using device-specific passwords". Not sure if we should show devices in the list of active sessions.
ChristophWurst
on 11 Apr 2017
Ah, I see.
I think it makes sense to have everything under "Sessions", because in the future we may want to be able to kill them.
oparoz
on 11 Apr 2017
I think it makes sense to have everything under "Sessions", because in the future we may want to be able to kill them.
Yes - they need to be combined.
MorrisJobke
on 19 May 2017
And we should not show sessions of mobile phone and desktop because they are recreated automatically.
MorrisJobke
on 22 May 2017
I think it makes sense to have everything under "Sessions", because in the future we may want to be able to kill them.
PR at https://github.com/nextcloud/server/pull/5166 :)
And we should not show sessions of mobile phone and desktop because they are recreated automatically.
Please elaborate. Which sessions are you talking about here? IIRC we do list clients that support cookies, like our sync clients when they are configured to use the login password and not an app password.
ChristophWurst
on 30 May 2017
Please elaborate. Which sessions are you talking about here? IIRC we do list clients that support cookies, like our sync clients when they are configured to use the login password and not an app password.
Correct. The client uses sessions, but it also stores the app password (like the Android and iOS app) so when you "remove" that session via the web UI on the next request it will be recreated. Thus it is quite useless to show it. :/
MorrisJobke
on 30 May 2017
I see your point. I'll think about a possible solution. Maybe we need a new token type for that …
ChristophWurst
on 30 May 2017
I see your point. I'll think about a possible solution. Maybe we need a new token type for that …
Or oauth2 🙈 😉
MorrisJobke
on 1 Jun 2017
That's only a solution if we slowly deprecate HTTP basic auth IMO and have a clean migration path.
ChristophWurst
on 1 Jun 2017
Related issues
blackcrack
·
3Comments
ThomasLeister
·
3Comments
brylie
·
3Comments
rullzer
·
3Comments
mama21mama
·
3Comments
Most helpful comment
Ah, I see.
I think it makes sense to have everything under "Sessions", because in the future we may want to be able to kill them.