Description of problem: if I open the UI in two tabs and try to log in with two different users we automatically change both sessions to the last user logged in. 1. I am thinking that when I want to do some tests for users added to my system I am not want to log out of my own session and re-login or open two browsers. 2. if we decide that this is the correct behaviour I still think that if we were logged in with userA and now login on a different tab with userB we should not automatically change both sessions to userB but rather logout completely from the session. Version-Release number of selected component (if applicable): python-django-horizon-2013.1.2-1.el6ost.noarch How reproducible: 100% Steps to Reproduce: 1. create a new user without 2. give the user member permissions on a project 3. while logged in as admin user, open a second tab and login with the user you created Actual results: once we login, both sessions (the one that was already logged in and the new one) are changed to be logged in with the newly created user credentials. Expected results: We should either allow cookies per user or should logout the previous user and redirect to the login page. Additional info:
I'm afraid this is the way browser sessions work. If you want to have multiple user sessions in parallel, you should use multiple browsers or create separate browser profiles (firefox).
*** Bug 984636 has been marked as a duplicate of this bug. ***
1. I can log in to rhevm with two different users on two different tabs on the same window so it can be solved. 2. in https://bugzilla.redhat.com/show_bug.cgi?id=984636 which was closed as duplicate we are able to create objects while still being told we are logged in with the first user, so the least we can do is log the user out and not sent the commands to create objects with the new user I'm reopening since I think that even if we currently cannot solve this issue, at least the second option should be prevented.
This breaks a number of standard UX expectations for web applications. At this time, multiple users within the same browser is not a supported use case in Horizon. I would encourage using the workaround of having multiple browsers. As far as I can tell, the /auth/login page is the only way to be able to log in into horizon while another session already exists. Perhaps it should also redirect to the user home page so that it's not possible to try and login again.
Liz, can you please comment on the expectation of logging in two different persons in two browser tabs?
Maybe this isn't the point, but I'm not sure how often users will want to log into OpenStack as different users in different tabs. This could be something that we are hitting in development and testing, but really won't be a big use case for our customers. I would expect that if we were to support this functionality somehow, it would be lower priority. In the meantime, if a user does attempt to open a new tab and log in as another user, I think we should make sure the OpenStack web application notifies the user quickly in one of the tabs that "Another user has logged in on this computer." or something, so that it is clear that they are now being mirrored. I believe Facebook does something similar to this. My thoughts!! Liz
(In reply to Liz from comment #6) > In the meantime, if a user does attempt to open a new tab and log in as > another user, I think we should make sure the OpenStack web application > notifies the user quickly in one of the tabs that "Another user has logged > in on this computer." or something, so that it is clear that they are now > being mirrored. I believe Facebook does something similar to this. I don't see, that is possible at all, or would help at the described issue.
I would like to address this in the following way: Currently if I am not logged in and access https://<my_dashboard.com> I see the login form displayed. After logging in, if I try to access this URL again, I will be redirected to the Overview page. I would like the /auth/login/ URL to behave in the same way: if the user is not logged in, display the login form. If the user is already authenticated, redirect to the Overview page. I think this is in line with how most other web applications handle this, and would reduce user confusion around the problem.
I think this makes sense, Julie.
How to test: 1. Log in to Horizon 2. Go to https://<my_ip>/dashboard/auth/login 3. You should be redirected to the home page
This should get pulled in when we rebase django_openstack_auth (although note that the patch itself has not been included in a tagged release yet).
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
This already is implemented and works the way described in comment 10 and comment 12 in OSP6 and all later versions.