Modiphius.com  |  Modiphius Shop

Odd logout behavior

I’ve been noticing some odd logout behavior where logging out on one device logs me out on all of my devices. Steps to reproduce the issue:

  1. Login on my phone
  2. Login on my tablet
  3. Login on my PC
  4. Logout on my PC
  5. Get automatically logged out on both my phone and my tablet

Is this expected behavior where logging out on one device logs you out on all devices?

I’ve done a bit more testing to try and confirm some details. I’ve confirmed that the _forum_session cookie value is different for each separate login, so it doesn’t appear to be a problem with the same session id being used for each login. It looks like there are three different methods to logout (also shown in screenshot below).

  1. Click your user profile icon in the upper right corner of the page and click Log Out. This logs you out of all sessions on all devices. I assume this should only log you out of the current session on the current device.

  2. Click your user profile icon in the upper right corner of the page and click the Preferences gear. On the Preferences page, you can view Recently Used Devices. The devices you’re logged in on, other than the current device you’re using, have a wrench icon next to them. Clicking that wrench icon gives you a Log Out option. Clicking that Log Out option for a specific device just logs you out of that individual device but keeps you logged in on all other devices. This is as expected.

  3. Click your user profile icon in the upper right corner of the page and click the Preferences gear. On the Preferences page, you can view Recently Used Devices. There’s a “Log out all” link at the bottom of the Recently Used Devices section. Clicking this “Log out all” links logs you out of all devices. This is as expected.

So logout methods 2 and 3 are functioning as I would expect. I would assume logout method 1 should only log you out of the current session on the current device, not log you out of all sessions on all devices. The use case for this is logging in on a personal phone that you trust and leave logged in, but then also logging in on a shared PC where you don’t want others accessing your account so you logout after you’re done. I would assume logging out of the shared PC would allow me to stay logged in on my personal phone. Is this the intended behavior?

I suppose a work-around for the use case above would be to access your account from the personal phone when you’re done using the shared PC and use logout method 2 to logout of the shared PC. This would work, it would just be a bit more awkward than logging out directly from the shared PC.

After doing a bit more research, it appears this may be controlled by the “log out strict” setting (“When logging out, log out ALL sessions for the user on all devices”) that I’m assuming is enabled for these forums. Considering we have the “Log out all” link available to us, as well as the option to logout specific sessions, could the “log out strict” setting be disabled (assuming this is actually what is causing this behavior)?

@Modiphius-General, any thoughts on this issue?

Hello!

Apologies for not replying earlier - I didn’t see these for some reason, so sorry for that!

Yes, it’s due to the ‘log out strict’ setting - the reason we have that is that some features, including certain badges, are detected and activated on log in (and therefore require a log out).

We’ll keep an eye on this and see if it becomes an issue - are you swapping between devices a lot?

1 Like

No worries. I don’t encounter this a real lot. I noticed it most while we were on vacation and I was using my wife’s laptop.