Modification ... or Bug Fix?



  • I've got this classic ASP web app that some management folks purchased.  They users keep complaining that they can't log in.

    It turns out, when they click the 'x' to close the IE window (the way we learn from internet browsing) it leaves them logged in to the web server until they time out at an hour.  They would have to go through the processes of clicking on 'log out' on the web page to create the round trip to the server to prevent this.

    The company is trying to tell me this is 'by design' and they want $$ to change this to even warn the user they are not logging out.

    What do you think?



  • Severely drain-bamaged login and session handling process if having an existing session prevents you from opening a session. Is there a specific requirement that a user can only have one active session?



  • @Bus Raker said:

    They users keep complaining that they can't log in.

    Ok, a bit confused here.   You say they are complaining that they can't log in...but you don't seem to mention logging in anywhere else, just logging out.  

    Is the problem that if they close the browser and try to log in again it doesn't let them (because they are already logged in)...or...what? 🙂

    -cw



  • @Bus Raker said:

    I've got this classic ASP web app that some management folks purchased.  They users keep complaining that they can't log in.

    It turns out, when they click the 'x' to close the IE window (the way we learn from internet browsing) it leaves them logged in to the web server until they time out at an hour.  They would have to go through the processes of clicking on 'log out' on the web page to create the round trip to the server to prevent this.

    The company is trying to tell me this is 'by design' and they want $$ to change this to even warn the user they are not logging out.

    What do you think?

    i just want a precision: when they close the browser, open it again and try to log in, what happens exactly? Are they already logged in or do they get an error message akin to "you are already logged in, fuck off" and aren't allowed to use the application? From your post I'm pretty sure it's the later, but I want to be sure.

    If it's the latter, then I think it's a bug and the proof of a braindead authentification model

    @CodeWhisperer said:
    @Bus Raker said:

    They users keep complaining that they can't log in.

    Ok, a bit confused here.   You say they are complaining that they can't log in...but you don't seem to mention logging in anywhere else, just logging out.  

    Is the problem that if they close the browser and try to log in again it doesn't let them (because they are already logged in)...or...what? 🙂

    -cw

    From what i understood, if the issue is indeed the later:

    The user can log in, but when he closes the browser and tries to log-in back again the server tells him he's already logged in and that he can't log again.

    What probably happens: the site uses sessions and a session cookie, but a given user can only ever have one existing session at a given time. And if you try to create a new session, it tells you that you're already logged in and you can't log in again.

    This was probably implemented so that two users couldn't use the same login, or so that you couldn't log from two different machine at the same time (sounds desktop-app envy here, and crappy design, they probably ran into some kinds of race conditions or something and monkey patched it instead of fixing it), but the great "feature" of this, the one Bus ran into, is that if you don't explicitely kill your session you have to wait until the session's death timeout clicks so that the session gets destroyed and you can log in again. Hence the timeout.



  • It's their fault. If it's by design, it's bad design, and an incomplete feature.

    It should provide an option to kill the running session, as our CMS does.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.