Different logins in same browser session and login_required

[PyMan]

Hi guys,
I need some help about logins and session and any help would be much
appreciated :)

This is the scenario:
* Django 1.2.0
* Firefox (but I think any browser too)

This the steps:
1) In the same computer (so in the same browser session) I have two
browser windows "W1" and "W2" where the user "U1" is already logged in
in both windows.
2) In the browser window "W1" the user logs out
3) In the browser window "W1" the user "U2" logins in and gets
redirect to the main web page
4) In the browser window "W2" any call to the views (all using the
"login_required" decorator) is done with request.user set to "U2"
instead the old "U1" --> here the human user could still think to be
"U1" in this window (indeed he can see "U1" printed in the web page
previously rendered), but he's surfing like "U2"

Since you can't keep to more logged users in the same session, I'd
like to catch this situation and redirect the user to the log in page.

Of course I don't want to rewrite all the ajax and not ajax calls to
pass the "current" (means "old") user as parameter to match with
request.user for a change. It's ugly and expensive.

Any idea?

Thanks.

[Bill Freeman]

This is a limitation of the browser. It does not keep separate credentials
for separate windows. This is usually desirable because you may choose
to open a link in a new window (or tab) and you still expect to be logged in.

The only solution I know is to run separate browsers. You can install, say,
both firefox and chrome, for example. If you truly need to have them be the
same browser version, then the easiest thing is to run one in a virtual
machine.

On linux you can, if you are sharp, run two X servers on two separate
virtual terminals, and log in as different users on the two of them. Browsers
run by separate users are separate. On windows you might do this with
the switch user without logging out functionality. I don't know about Macs.

Bill

> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To post to this group, send email to django...@googlegroups.com.
> To unsubscribe from this group, send email to django-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
>
>

[David De La Harpe Golden]

On 19/10/10 17:03, Bill Freeman wrote:
> This is a limitation of the browser. It does not keep separate credentials
> for separate windows. This is usually desirable because you may choose
> to open a link in a new window (or tab) and you still expect to be logged in.
>

IE8 (and probably other browsers) are growing more flexible in that area:

http://blogs.msdn.com/b/ie/archive/2009/05/06/session-cookies-sessionstorage-and-ie8.aspx

> The only solution I know is to run separate browsers. You can install, say,
> both firefox and chrome, for example. If you truly need to have them be the
> same browser version, then the easiest thing is to run one in a virtual
> machine.

Firefox has long had its "profile" functionality.

firefox -no-remote -ProfileManager

You can create multiple firefox profiles, then run multiple instances of
firefox at once - so long as you use different profiles for them. A bit
fiddly, but obviously useful for development/testing.

[PyMan]

>
> Firefox has long had its "profile" functionality.
>
> firefox -no-remote -ProfileManager
>
> You can create multiple firefox profiles, then run multiple instances of
> firefox at once - so long as you use different profiles for them.  A bit
> fiddly, but obviously useful for development/testing.

First of all thanks for your answers to both of you :)

Yeah, I know about FX profiles and I already knew it was a working
solution, but it's not a good solution. I mean we're speaking about
users that don't even know what a browser is. Telling them to do that
is just mess.

[Daniel Roseman]

What's your case for getting end users to log in as two separate
profiles? If they're non-technical, they shouldn't have to be worrying
about this level of detail in any case. It's going to be confusing for
them no matter what you do.
--
DR.

[PyMan]

It shouldn't happen, but it could. It's an office or it's a warehouse,
people could work with the same user and/or (above all) people may
work on the same machine...so they should pay attention on what they
do...but even no.

Just an example when the problem can occurs:
The djangoapp has more users, some of these have privileges to access
the django-admin to change some user permissions

With just one opened browser window the user U1 (not superuser/staff)
is logged on, then going on the django-admin (in a new window because
the link opened there, or jsut the user opened a new window by himself
or whatever) a login is required. Logging on with a different user,
the first window still seems (especially when the whole application is
ajax based) to use the U1 user and something of not expected (to the
user) may occurs.

I understand it's normal, the end-user may not.

[Steve Holden]

In which case the solution is to instruct them not to share logins,
which they would have to do to experience those problems.

I agree it can be a pain when they do that, but if they are so
unsophisticated that they let two different users interact with the
system through a single login account they must expect trouble with
authenticated systems.

As is so often the case, education is the answer. And, as is so often
the case, the users would rather sacrifice security for convenience
(then make it the system designer's fault when they realize they can't
have both).

regards
Steve

--
DjangoCon US 2010 September 7-9 http://djangocon.us/

[PyMan]

100% agree! If it were for me the thing would have already been
stopped here! :D