SamCooper
commented
6 years ago Good one!
I don't think that should be allowed so we should probably require a blank field in the message?
Closed apinder closed 6 years ago
SamCooper
commented
6 years ago Good one!
I don't think that should be allowed so we should probably require a blank field in the message?
apinder
commented
6 years ago Could work - in this case we'd assert that the auth ID header in the login op == null otherwise throw an error. They'd then need to clear their auth ID using the logout op and then login again. One issue with that is that they could still bypass the check by not sending the auth ID down on the login op but I suppose that's covered by the MAL spec that you mentioned in the other issue
SamCooper
commented
6 years ago We don't need to validate their system, its perfectly possible they may support multiple logins concurrently and magically swap between them (we as service providers wouldn't know or care).
I'll add in the requirement and error
If a user successfully logs in with 2 different usernames without logging out from the first should we treat both of them as logged in or should the second succesful login force a log out of the first?
E.g given a scenario where the login operation of the login service sees that the incoming interaction contains an existing non-null/non-empty auth ID in the header should we logout the user associated with this auth ID or leave it be and keep them both logged in? If we leave it be the only way to log the first logged in user would be to send that old auth ID up with the logout request. Either way one of these options needs to be clarified as a requirement.