Logging Out appears unsafe
shrekie
Registered Users Posts: 285 Major grins
Hi,
I can't seem to find anything in the forums about the issue of logging out of smugmug, but I have been experiencing serious issues with this.
I have tried logging out in both Safari and Firefox on the mac, and IE on a PC, and it doesn't actually log me out. It says I am logged out, but as soon as I click on my Galleries, it will take me straight back into my logged in account, showing me all the private galleries.
This doesn't appear to happen all the time, but it has certainly happened enough times for me to be concerned about security issues of logging in and out, especially when using computers other than my own.
I wonder if other users have had similar experiences?
I can't seem to find anything in the forums about the issue of logging out of smugmug, but I have been experiencing serious issues with this.
I have tried logging out in both Safari and Firefox on the mac, and IE on a PC, and it doesn't actually log me out. It says I am logged out, but as soon as I click on my Galleries, it will take me straight back into my logged in account, showing me all the private galleries.
This doesn't appear to happen all the time, but it has certainly happened enough times for me to be concerned about security issues of logging in and out, especially when using computers other than my own.
I wonder if other users have had similar experiences?
Nelson
Website: www.lookingglassphotography.com.au
Blog: http://lookingglassphotography.posterous.com/
Twitter: http://twitter.com/LookingGlassPho
Website: www.lookingglassphotography.com.au
Blog: http://lookingglassphotography.posterous.com/
Twitter: http://twitter.com/LookingGlassPho
0
Comments
Usually, refreshing the page also shows you as logged out.
www.ivarborst.nl & smugmug
Hi ivar,
Yes, I am logging out of my custom domain. If this is the issue, why is it that we have to use our nickname.smugmug.com instead of our own domain name which we paid money to obtain and spent all that time setting up? It seems strange that to access my own website securely, I can't even use my own personal website address.
Website: www.lookingglassphotography.com.au
Blog: http://lookingglassphotography.posterous.com/
Twitter: http://twitter.com/LookingGlassPho
Hello Nelson, it's the way it has to work, so that cookies and all work just right with your CNAME.
http://www.smugmug.com/help/acctlogin
See the "gotcha"
Nobody will ever know but you, the site owner. Login, out from www.smugmug.com
Portfolio • Workshops • Facebook • Twitter
Hi Andy,
Ok, thanks for confirming that:)
Website: www.lookingglassphotography.com.au
Blog: http://lookingglassphotography.posterous.com/
Twitter: http://twitter.com/LookingGlassPho
I still don't get why you don't just fix this. It bites your customers all the time. If the logout operation has to happen from www.smugmug.com or username.smugmug.com, then just make the logout link on their custom domain page take them to a place where it does work and do it there. Use a parameter on the URL to trigger some JS. This would not be hard to fix at all. It's a bug that you offer a logout link that doesn't work for anyone with a custom domain.
Or, if you're really don't want to fix it, then get rid of the busted logout link entirely so users will have to go find one that will work. This is a bug, plain and simple.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
Haha thanks John. :jfriend
It's working as it's designed to work. Sorry, and I really don't want to fight with you about this. We can't fix what isn't broken. You say "fix" but the feature is designed this way and we tell our customers about it on our help pages.
Portfolio • Workshops • Facebook • Twitter
OK, you decide if you want to leave it that way. I know from previous discussions not to get into a semantic argument over what is and isn't a bug. To me a bug has always been anything that a customer thinks is a bug or a customer thinks is wrong. There are lots of developers who think a bug is only something that they would consider a mistake. The former definition is much more customer aware.
I find it unusual that you say a feature that doesn't work for anyone with a custom domain is "working the way you designed it". It's completely busted for them. You may have decided to leave it that way and thus have documented it in the help pages, but that doesn't mean it works as it should or that anyone, including your developers, actually want it to work this way. What you really mean is that you know it doesn't work like your customers want it to, but you've decided not to prioritize changing it.
If you wanted it to work for everyone, it would not be hard to replace that logout link with a link that takes you to www.smugmug.com?logout=yes and then in www.smugmug.com add a little javascript to snif the logout=yes parameter and trigger the logout. Or, you could make a new landing page www.smugmug.com/logout and have that page always process the logout. Or, there are probably five other solutions too. This is quite solvable if you wanted to prioritize it to work for everyone.
I would think a better answer to this issue would have been as follows. This also would have completely ended the conversation.
"Yes, that logout link doesn't work for people with custom domains. I'm sorry about that. I will make sure that this is on the list of things that aren't working as well as we'd like, but I can't promise anything now. In the meantime, a work-around is documented here."
Instead you defend it's poor behavior which is what makes me argue with you.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
I've been a pro user for 5+ years, with a custom domain. I've never, ever had an issue with this. I'm happy that the feature allows me to use my custom domain.
I log in and out of SmugMug dozens of times a day, on two platforms, Mac and PC, and four different browsers. Every. Single. Day.
There's a tremendous amount of cross-domain cookie stuff that the sorcerers have to deal with - and if this is the way it has to work for everything at SmugMug work great for pros that want to use their own domain name, I can live with it.
John, having seen first hand what can bust if cross-domain cookie stuff isn't handled just right, I don't want to mess with this.
I also hate disappointing you, because you are so thoughtful in your posts here. But in this case, we'll have to agree to disagree, John, and let the help page doco carry the day.
I'm sorry I don't have a better, more palatable, more swift fix answer for you. But I can tell you this, we care about what you say.
Portfolio • Workshops • Facebook • Twitter
Can't make any promise about when, but I can promise you that it's being looked at.
Thanks to all of you for pushing on this - we *love* to hear from customers, yes, sometimes even I can be flapped (is that the opposite of unflappable?) :jfriend
Portfolio • Workshops • Facebook • Twitter
Cool.
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question
Thanks for the continuing dialogue John & Andy:)
I have often used my friends' and family's computers to show them how my smugmug account works as many have expressed interest in subscribing at some stage. However, in future, if I have to log in to my own account on their computers as lookingglassphotography.smugmug.com, I wouldn't really like to have to do that because:
1. It takes longer to type,
2. It makes the domain name look clunky,
3. It means I have to explain that even though I have purchased and redirected my site to my own unique domain name, it doesn't really work like that when I have to use it myself...
4. It seems amateurish, which is not a good thing if you've spent a lot of time customising your site (and makes it a bit harder to evangelise smugmug:D ).
I know that this is documented as a "Gotcha!" but as it is such a serious security flaw, I wonder how many users are like me, who have overlooked it and are actually not consciously aware of this? I know for a fact now that I have used my account on other people's computers and not actually technically "logged off". In these cases, they wouldn't even know how to help me log out of my account if they wanted to:)
Your suggestions sound like very sensible ones John...I'm hoping that Andy will return at some stage with good news:) Thanks for the update Andy.
Website: www.lookingglassphotography.com.au
Blog: http://lookingglassphotography.posterous.com/
Twitter: http://twitter.com/LookingGlassPho
I just caught up on this thread, then looked at the login / logout links available to me on my site.
The logout link is
http://www.smugmug.com/logout.mg?goTo=http%3A%2F%2Fgallery.primarycolors.com%2F
The login link is
https://www.smugmug.com/login.mg?goTo=http%3A%2F%2Fgallery.primarycolors.com%2F
This must've changed as of the last 24 hrs. Brilliant! It's working perfectly now!
Thanks for listening and taking our suggestion on board and relaying it back to the team Andy...much appreciated as always:)
Great work Sorcerers!
Website: www.lookingglassphotography.com.au
Blog: http://lookingglassphotography.posterous.com/
Twitter: http://twitter.com/LookingGlassPho