Comments (4)
johnwilander
commented on August 14, 2024
I'm not sure I understand this issue fully. Is this just about expiring/deleting website data based on the IsLoggedIn signal or lack of it? Because other uses of IsLoggedIn state are mentioned in the explainer. Or is it about not offering the isLoggedIn() API?
from is-logged-in.
samuelweiler
commented on August 14, 2024
I'm not sure I understand this issue fully. Is this just about expiring/deleting website data based on the IsLoggedIn signal or lack of it? Because other uses of IsLoggedIn state are mentioned in the explainer. Or is it about not offering the
isLoggedIn()API?
The topic of "what is this for" came up - at some length - in today's CG call.
I'm saying "I understand the two uses of this are X and Y" - if you think there are others in the explainer, perhaps try to extract them to make them more clear?
Further, I'm suggesting
- that a "you may/should destroy state now" signal seems more directly on-point for one of the use cases I understand this is solving.
- the other use case doesn't need this signaling.
from is-logged-in.
johnwilander
commented on August 14, 2024
This was discussed on today's W3C WebAppSec call. From the notes, lightly edited:
John W: There's a GitHub issue on this [this one!]. I think if it was just down to the managed authentication flows, we could make it work. Password manager, WebAuthn, that's good enough. But two other things:
- The user need to be able to log out, store that state. There's not a good heuristic for this action [for instance, sites don't clear all their website data on logout]. It needs to be a distinct thing.
- There are so many custom login flows. The site may be actively trying to break password managers or something might happen out-of-band with your phone to login, which is invisible to the browser. Better to just give the site the ability to make an assertion.
Sam W: Logout, I get. There's a good case for that kind of signal. The strange flows to support suggests that the problem of trusting the signal is hard, that the heuristics won't be good enough.
John W: Yes, this is hard. We might solve the hard cases with a prompt, or prominent UI in the browser that could help users understand and react. An example or a hard case: BankID in Sweden. The bank site shows a QR code that you scan with your phone where an auth flow in the BankID app magically moves you to a logged-in state in the browser. Also note: Banks have such short limits on state that they're not really the canonical case.
Does the above resolve this issue, Sam?
from is-logged-in.
samuelweiler
commented on August 14, 2024
No, it does not. (If only because I don't fully understand the minutes, which are surely somewhat mangled.). Would you indulge me and enumerate the additional use case (again)?
from is-logged-in.
Related Issues (20)
- Could Site Engagement Serve the Same Purpose?
- Privileges that come with IsLoggedIn may push sites to mandate login HOT 1
- Can we cater for link-based logins, e.g. tap link in email => logged in HOT 5
- Use the term bucket for storage HOT 1
- Support for logins to sites requiring 2FA login
- What does logout mean in a federated context? HOT 5
- Browser rules for a 'proper' login flow
- Support for federated logins, or the ability to transfer IsLoggedIn HOT 10
- Supporting display name and avoiding misuse of them HOT 1
- Logging-in does not necessarily mean giving tracking consent
- Safari implementation of setLoggedIn API HOT 1
- Concurrent logins support for `navigator.isLoggedIn` method.
- Would it be possible to have it isomorphic?
- Potential use of First Party Sets for Single Sign-On
- Integration with FedCM (formerly WebID) HOT 9
- Potential requirement to have JS turned on to log in users to a site
- Consider changing the name of the spec to better convey purpose, align with conventions HOT 1
- Consider renaming API entry points to align with conventions, better convey purpose
- Use Case: Updating OS-integrated surfaces HOT 3
- advice/hooks for other login helper APIs to change login status
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from is-logged-in.