(Private) Key not cleared from account generation, when aborted.

[jaekwon]

When the user generates a keypair but aborts before creating an account, say by hitting the back button, and then decides to log in as an existing user, the login will succeed but the sessionStorage['privateKeyArmored'] etc will belong to the aborted user.

This causes all kinds of problems like not being able to read messages, etc.

What is the benefit of using sessionStorage? Why not just use a plain old javascript global object for the session state? The app is a single page anyways.

[dcposch]

I'll make sure that sessionStorage[privateKeyArmored] is cleared when you log in.

The purpose of using sessionStorage instead of a window global is so that you don't have to log in again every time you hit "refresh" or open a new tab. Instead, your login lasts as long as the current browser session.

This is the same behavior people get when logging into existing webmail (eg Gmail) with "Keep me logged in" unchecked.

On Fri, Oct 11, 2013 at 6:17 PM, jaekwon notifications@github.com wrote:

When the user generates a keypair but aborts before creating an account, say by hitting the back button, and then decides to log in as an existing user, the login will succeed but the sessionStorage['privateKeyArmored'] etc will belong to the aborted user.

This causes all kinds of problems like not being able to read messages, etc.

What is the benefit of using sessionStorage? Why not just use a plain old javascript global object for the session state? The app is a single page anyways.

— Reply to this email directly or view it on GitHubhttps://github.com/dcposch/scramble/issues/35 .