Last modified: 2014-10-16 11:32:09 UTC
When already logged in, the login form (after I7e40c13a6ca5) will allow users to log in again as another user. However, in this scenario, LoginForm does not call $user->logout() on the original user. The question: should it? Extensions may be expecting the appropriate hooks to be called any time a user ends their session (and in this case, even though they are switching users, it can be considered an end to the session). For example, Extension:SecureSessions keeps track of where a user is logged in, and shows that information to the user. However, it depends on the UserLogout hook to know when a session is terminated.
(In reply to Tyler Romeo from comment #0) > Extensions may be expecting the appropriate hooks to be called any time a > user ends their session (and in this case, even though they are switching > users, it can be considered an end to the session). > > For example, Extension:SecureSessions keeps track of where a user is logged > in, and shows that information to the user. However, it depends on the > UserLogout hook to know when a session is terminated. I don't see how this can possibly work when a user can just clear their cookies? I must be missing something.
Somehow didn't see the response. Yes it is not entirely accurate. However, think about the workflow for this. If somebody closes out there browser on another computer and the cookies are cleared for whatever reason, the user will probably not be surprised to see that session still listed. But if a user explicitly logs off of a computer (or in this scenario, logs in as another user and then logs out), and then goes later to see that session still listed in their list of sessions, it will definitely be confusing and they might wonder whether they were actually logged out or not. That is why I think it would be best to, at the very least, try and make the session list as accurate as it can possibly be.
