solid-auth-client icon indicating copy to clipboard operation
solid-auth-client copied to clipboard
verified publisher icon nodeSolidServer

Authentication in 2 different tabs with 2 different sets of credentials confuses rights.

Open mrkvon opened this issue 7 years ago • 4 comments

This issue happens on instances of node-solid-server with firefox (i.e. https://solid.community, https://solidtest.space)

Preparation

  1. Have 2 different solid accounts/WebIDs (user0, user1)
  2. Create a new chat in https://user0.somehost/public/chat (chat)
  3. Add user1 to Posters (i.e. give her Append rights). User0 should already be Owner of the chat. Now, both user0 and user1 should be able to add new messages, but only user0 should be able to delete messages.
  4. Clear cookies or whatever place the credentials are stored.

Issue

  1. Open a new tab with the chat and log in as user0.
  2. Open another tab with the chat (you should see Log In button) and log in as user1.
  3. Now user1 is able to both post messages as user1 and delete messages.

Expected behaviour

One of the following:

  • Allow only 1 logged user (i.e. be already logged in) when opening a new tab with a solid app.
  • Use a consistent authentication for every tab.

Hypothesis

Authentication seems to be done with a cookie, and in both cases the same cookie seems to be used; with the rights of the first logged in user.

Browser: firefox 60.0 Operating system: Arch Linux

mrkvon avatar May 18 '18 14:05 mrkvon

Open another tab with the chat (you should see Log In button) and log in as user1.

I think if you open New Private Window instead of New Tab you can use two different identities in those two windows.

elf-pavlik avatar May 19 '18 16:05 elf-pavlik

@elf-pavlik That should indeed work, because both instances keep separate cookies.

The issue described is the following: It is possible to log into two accounts within the same browser instance, but it is inconsistent. It should be either impossible or consistent. I updated the issue to reflect this.

The issue might as well be within the particular chat app, which may deal with cookies (or whatever the source of the issue) inconsistently; and not here. I don't know.

mrkvon avatar May 19 '18 16:05 mrkvon

This is interesting! You're right, that the expected behavior is that when you load the Chat app in the second tab, it should already be logged in with the first user. (Since tabs open to the same origin share both session cookies and credentials stored in localStorage).

The fact that it doesn't suggests that maybe the app is not checking for session state on page load? (Could be worth opening an issue with that app, too).

dmitrizagidulin avatar May 19 '18 23:05 dmitrizagidulin

(Fwiw, there was a recent bug in firefox - https://bugzilla.mozilla.org/show_bug.cgi?id=1450199 where cookies were not being synced between two tabs. But that's marked as fixed in Firefox 60, which @mrkvon is using (thanks for including the browser version in the issue, btw! :) )

dmitrizagidulin avatar May 19 '18 23:05 dmitrizagidulin