Infrastructure

Looking at Set-Cookie header values I don't see any expire and max-age attributes. André Littoz , could it be that your browser doesn't delete so-called session cookies when you close it? Could you please open your browser (new session), visit https://auth.documentfoundation.org and authenticate, visit https://ask.libreoffice.org and authenticate (with username+password), then close your browser, restart it, and visit these two sites again. Are you pre-authenticated or do you land in an anonymous session?

Recent versions of Firefox are not as convenient as older ones to examine cookies. You now need to be connected with the site to be able to dump them.

Is the site auth.documentation.org ?

EDIT OK, I figured out. I found "generic" cookies `.documentfoundation.org` plus specific "application" cookies`redmine.…` or `vm22.…`. I think the "critical" ones are those with name `lemonldap` and an apparently random hashed name, both in the "generic" domain and same for all applications. They have Session, HttpOnly and Secure attributes.

I'm beginning to suspect my problem is related to my workflow.

André Littoz wrote:

I'm beginning to suspect my problem is related to my workflow.

Please try the experiment suggested earlier so we can confirm. :-)

I confirm that after a full shutdown and restart (not a simple reboot), I still don't need to enter my credentials to log in.

Pressing the login link is enough to connect to Discourse and Redmine.

This means some information is persistent on my computer.

André Littoz wrote:

Pressing the login link is enough to connect to Discourse and Redmine.

These two rely on the Single Sign-On portal (and the same auth protocol) for authentication. Please also check with AskBot (using username+password authentication not OAuth/OpenID) to confirm it's not an issue with our SSO system.

AskLO signin with password

No persistent data. After sign-out, I must retype userid/password.

AskLO signin with Google

A click on this icon suffices to be connected. Some persistent data is kept somewhere.

André Littoz wrote:

AskLO signin with password

No persistent data. After sign-out, I must retype userid/password.

Yes of course, but that's not what I was interested in. Quoting msg#1 of the present issue:

Guilhem Moulin wrote:

Could you please open your browser (new session), visit https://auth.documentfoundation.org and authenticate, visit https://ask.libreoffice.org and authenticate (with username+password), then close your browser, restart it, and visit these two sites again. Are you pre-authenticated or do you land in an anonymous session?

So do not log out. Just log in to these sites, close your browser, and start it again please (better not click the “restart” button as it might not completely flush the state).

FWIW it appears AskBot doesn't set session cookies but cookies with a 1 year resp. 14 days lifetime.

$ curl -so/dev/null -D- https://ask.libreoffice.org/en/account/signin/ | grep -i ^Set-Cookie:
set-cookie: ask.libreoffice.org_en_csrf=…; Domain=ask.libreoffice.org; expires=Thu, 02-Sep-2021 20:35:33 GMT; Max-Age=31449600; Path=/
set-cookie: libo-session-pt-br=…; Domain=ask.libreoffice.org; expires=Thu, 17-Sep-2020 20:35:33 GMT; httponly; Max-Age=1209600; Path=/

I'm not familiar enough with the AskBot authentication mechanism to comment on that. OTOH the Single Sign-On portal sets session cookies, and if your browser doesn't delete them when you close it I'm not sure what we can do about that.

André Littoz wrote:

AskLO signin with Google

A click on this icon suffices to be connected. Some persistent data is kept somewhere.

I read the exact opposite at https://vm222.documentfoundation.org/t/custom-log-in-control/115/8 . AFAICT the above 1/ suggests that your browser indeed doesn't close session cookies when you close it; and 2/ the log-out button doesn't act as a single sign-out (which TBH would be rather strange for a third-party Identity Provider).

Before making the experiment as precisely described in comments #1 and #7, more information:

I used my laptop to connect to Discourse. Behaviour is totally different. Everything goes as expected. After logout and browser close, credentials are requested anew.

The main difference between my laptop and my desktop is my laptop has not been updated for months (because I want to backup safely works I did on it years ago and make sure data is accepted in newer versions of applications on my desktop; until I'm confident I won't lose data, the laptop is "frozen").

OS (Linux too) is lagging many releases behind my desktop. Firefox is an outdated version.

I disapprove directions taken by Mozilla security-wise. In latest Firefox versions, you can no longer set your own cookie acceptance and lifespan policy. Cookies are always stored and trying to mitigate that is quite cumbersome, needing to explore the local sites store. And even here, you can't selectively delete cookies, you can only enable or disable sites as a whole.

Considering the difference between my laptop and desktop, I think browser configuration/behaviour plays a role in the issue.

Trial protocol as requested

Preparatory phase

I went to auth.documentationfoundation.org to logout. Took me several attempts to be really logged out.

Closed browser

Experiment

- open browser
- access auth.documentationfoundation.org to authenticate (leave tab open)
- access ask.libreoffice.org and log in with userid/password (leave tab open)
- close browser
- open browser
- both tabs are restored and show that I'm connected (auth page displays the password change form and AskLO the usual question list)

Technical details

- kernel Linux 5.8.4
- desktop KDE Plasma 5.18.5
- Firefox 80.0.1

Thanks for trying! Based on this I'm tempted to close this as “can't fix”: I don't see what we can do on our end to fix this, but if you know of a cookie attribute to force deletion when the browser closes let us know :-)

Last quick experiment, does the same thing happens if you close the browser by closing all tabs successively?

• open browser
• open https://auth.documentationfoundation.org in a new tab, authenticate
• open https://ask.libreoffice.org in a new tab, log in with userid/password
• close both tabs (I guess closing the last tab closes the browser)
• open browser
• visit https://auth.documentationfoundation.org again: are you pre-authenticated
• visit https://ask.libreoffice.org again: are you pre-authenticated?

(For AskBot this is not too surprising since it doesn't set session coookies, however for the the SSO portal the situation is different.)

Last experiment

• log out from documentfoundation.org with explicit argument ?logout=1 (from bookmarks)
• close browser
• open browser
• new tab to auth.…, authenticate
• new tab to ask.libreoffice.org, log in with userid/password (not through OpenID)
• close auth tab
• close ask tab
• close browser
• open browser
• new tab to auth, screen displays page to change password (hence already logged in)
• new tab to ask, already logged in

Don't close the ticket for the moment. I'll install a VM with basic configuration when I have time. I want to make sure that nothing in my daily configuration is causing the problem.

Meanwhile, I've bookmarked the full sign out URL and this is an acceptable workaround.

Side remark:

For several weeks now, it has been impossible to login into AskLO with Yahoo!. I must use either Google (which I don't like) or userid/password. It already happened in the past and was fixed. Can you do something about that?