-
-
Notifications
You must be signed in to change notification settings - Fork 627
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fingerprinting devices/matching sessions to a device. #1829
Comments
This topic is ping for @jmanico |
A “device” is just another active session and should just be listed with other active session, IMO.
|
Device - mobile phone, laptop or whatever (or you may have browser to the "unique key" here) - may have many sessions. The question is, is there need to have extra "grouping mechanism" for sessions, from which device those are used, or "just a session list" is enough. |
I think just a session list is enough. And a session attached to a mobile device should be labeled as such.
I may be missing the nuance of this, but I look at how most sites work around this and I just see one active session for my mobile device and can cancel it if I want.
|
The nuance here is actually your own comment: #1800 (comment) |
As we don't interpret the word "device" the same way, it is already "alarma" for the word in the requirement.
It is helpful when showing the list of active sessions for a user to understand, from where he/she is logged in and it is helpful to log out just one device. If the "device" information is not shown, the user must be still able to terminate all active sessions. From this perspective, it is a bit of a usability question. Where it gives additional information - if the user recognizes clearly "that is not my device" from the list. Then it is a more informative decision to finish the session for that device.
Then, first, we need to define - what we mean by "device". Second, how much information a web application can or should enumerate about the user? How fast it goes to conflict with some policies and perspectives, that you should not collect more information about the user than is required for serving the user. |
Well, seems that the device thingy it is actually required anyway: |
I am going to leave this open for the rework but not convinced we need to worry about it. |
The key here is that I think we need to list active sessions and the type of device (browser, mobile, desktop, etc.), giving the user the chance to cancel each session. Each unique session should be listed, so if the user is logged into multiple browsers, there will be multiple session listings. The key is to provide a way for a user to cancel any or all existing sessions. |
This is a spin-off from this comment: #1800 (comment)
Should we have a requirement for L2 or something to in some way identify, track or fingerprint devices as part of session management?
The text was updated successfully, but these errors were encountered: