User ID & Password

#1

Dear All, We are using cloud edition. If I save password once it never log out from browser. Please solve this issue at your earliest. I found If I change user name and password also its always connected. Unless logout from that particular browser

#2

this is an issue with your browser as per your set preferences and has got nothing to do with Manager itself.

#3

Please dont misguide people. Dont write anything without understanding the matter. I asked , If you save user name and password in any browser, That credentials save for forever until you logout from that browser. If you change your password in other browser, the previous saved password still working and not asking the new password to login. So I requested here to Mr Lubos please take care about this issue and set idle time for Auto logout options.

#4

it would have been helpful if you had been more specific with the details the first time.

read the below topic.

#5

Hello,

Do not mean to offend in any way, but I think you may be misunderstanding the situation @sharpdrivetek.

Authentication with Manager is handled via a cookie labelled ‘session’, and it is the presence of this cookie that allows the user to continue logging in without having to re-enter their credentials.

The web server generally controls the expiry of cookies. It is true that the web browser can override this and choose to clear them sooner, but that’s only if you have control of the browser. If it’s another user, that’s not an option.

From what I can tell, it seems that the session cookie for Manager is set to clear when the browser session ends, possibly using a technique like this:

If the browser session is never considered to end properly (that link says that sometimes Google Chrome does this), the user remains logged in forever.

Consider this example:

  1. New employee given access to Cloud/Server Edition
  2. New employee gets fired / sacked
  3. New employee credentials are modified (change username / password)
  4. New employee can still log in even though they are no longer at the company (according to what @mmi has written … I have not tested this).

I would recommend using a separate login account for each employee, rather than sharing logins (if you do that). When you want to revoke access for a user, completely delete their account. That should prevent them from logging in again.

#6

@ [ShaneAU] You understand exactly what I mean. Your idea is also good,but there is a problem when as a admin you login to any browser from anywhere (that what people do with online software), by mistake or intentionally if you save your credential in that browser how you will handle it ? Anyone can delete or change your admin user. another matter if your employee leaves your company then you need to create new role for new employees. Which is time consuming again to provide exact role of previous employee. Attention Mr Lubos- Please help in this regard.

#7

@mmi to be clear please confirm one thing.
are you saying that after the user credentials have been modified, a user can still login with the old credentials?
if this is the case, had the user ever been signed out of the remote browser or was kept logged in?

  1. if the user had never signed out of the browser, then there is an option to logout remotely. this has been explained in the topic i had linked to earlier.

  2. i understand it is an issue @lubos need to look into if the user can still login with old credentials even after the user was signed out remotely.

you just need to change the login password in this case.

#8

I see this as two separate issues here:

You can remove the credentials from the browser’s memory usually by clearing history will give you an option to clear stored passwords.

Also I use the same login on 3 computers regularly and as soon as I am logged in on one, it kicks the other one. I actually had to create a second login to stay logged in and working on my iPad and desktop PC at the same time. (I was perusing invoices on iPad and making adjustments on desktop, when the same user is used, it would broom the other device)

To apply to your situation I would change the password and sign in elsewhere and it should boot the other connections out.

#9

He mentioned that this does not work. If the other user is still logged in, they won’t be forcefully logged out due to a modified password (but if following good app design, they should be).

I’m going to test this right now, to see if I can reproduce the problem. I have some time today.

#10

Okay, I just did the following:

  1. Created a new Restricted Account
  2. Logged into Restricted Account using a separate browser session
  3. Changed the new user’s password
  4. Refreshed the page in the separate browser session. I was kicked to login page (as should happen).
  5. Tested the same thing with an Administrator account. Same results.

Can you please provide steps to reproduce this behaviour?

Try updating to the latest version of Manager as well, in case you’ve found a bug present in an older version that has since been fixed.

#11

Suppose you did it in a public pc like cyber cafe or any friends office or your staff does it. How you will clear the browser credential?

#12

Its not a bug.I am using latest version. Manager should have a option of auto logout if the user is idle, like any banking software.

1 Like
#13

I actually look back,

The list is getting longer and to log out every entries is tedious.

The issue is not small, this is security issue. as @sharpdrivetek put the reference link. not allowing simultaneously login is a control mechanism and @lubos removed it. Every user should have their own account, however replicate the permission is tedious also because there is no such function as ‘cloning permission’ or ‘inherit permission’.

Now it became security issue as it allows multiple login, and there is no batch logout option either. Having auto logout is the solution and the simultaneous login should be revisit.

2 Likes
#14

I just tested this again on my system and it appears that you are able to log in to two browsers with the same credentials, that issue from the past looks to be fixed.

Option 1
Changing a users password does stop access on all other PC’s even with credentials saved as they are no longer valid.

Option 2
Using the Logout button as indicated by @acecombat2

This solves the issue of public PC’s or friend’s PC’s, and you have the ability to block access if the need arises. An auto logout won’t solve the issue of saved credentials in the web browser anyway.

#15

A lot of people are using the system in secure environments and it would be inconvenient to keep entering password.

What I could add is Remember me checkbox. If you log in with the option checked, then cookies would not be set to expire. Otherwise they could be set to expire after 20 minutes of inactivity.

3 Likes
#16

@lubos lubos could you please add an Log out from all devices option ?
my list Where You Are Logged In when i click the username is way tooo long

#17

@Genti_Ge when you change the password, it will automatically logout all sessions except the one you are currently using. At least the latest version (19.2.60) does it this way.

1 Like
#18

I was looking into Remember me function and it seems like this pattern is no longer being used. None of the major websites support this.

I think the reason is that Remember me checkbox is confusing because even if you want to be remembered, it’s really up to web-browser (or add-ons) whether they let cookie to persist.

As for automatic logout, if you are using untrusted computer, you should always use web-browser in Private window mode or something like that. I’d argue to never use untrusted computer to login anywhere. Even if your session is automatically logged out, there could be keylogger installed which could have captured your password anyway. Perhaps this is the reason Remember me is falling out of fashion. It provides false sense of security.

If you are using your computer, I really see no reason for the software to automatically log you out. If you go away from your computer and don’t want anybody to access it, lock it at operating system level.

#19

Can the said behavior in a way obvious to users such as insert a small note somewhere in guide and user account form?

Somewhat the chances they using private tab in web browser, is infrequent and sometimes forgetful.