[BUG] Session returned to the wrong ARCitect processus after login

[Tom-TBT]

OS and framework information (please complete the following information):

• OS: Windows Server 2016

Describe the bug On a Windows server, two users have a session open. The first starts ARCitect and logs in, everything is working normally.

When the second user starts ARCitect and logs in, there is no error shown, but no login appears on the ARCitect. Instead, the first user has obtained the session from the second without his awareness (the display username changes in the ARCitect of the first).

I guess that the session is returned to the first ARCitect processus found.

So if someone forgets to close ARCitect, that person will then prevent anyone else from using ARCitect on the system; but this is more of a security concern to me.

[JonasLukasczyk]

Thank you for raising this issue but ARCitect was not intended to support this usage scenario. The problem is that ARCitect relies on the standard oauth2 authentification process which shares the browser cache. I will try a workaround though that setups a separate cache per ARCitect instance. The downside is that after every ARCitect restart the user will have to enter the credentials again.

I also have a related question: in your usage scenario can both users login on the github / datahub webpage with their respective accounts? At the same time of course. I'm not familiar enough with windows server.

[Tom-TBT]

To describe in more detail, we have a Windows server on a very large processing station. Windows server allows concurrent users to log into their account and do whatever in their Windows account.

-> Maybe there's the same issue with "Switching users" in Windows.

Note also, when I saw the bug described here, we were using the ARCitect app from the same folder (a folder with shared apps between users). Could have its importance, I have zero idea how the app works.

I'd have to reproduce the issue with someone to tell you more about sessions in browser.

The problem is that ARCitect relies on the standard oauth2 authentification process which shares the browser cache

I'm all in for single sign-on, but if that means throwing session tokens to the first app that requests it, it's probably not worth it.

[Brilator]

-> Maybe there's the same issue with "Switching users" in Windows.

It's also an issue on macOS:

1. Open ARCitect
2. Leave ARCitect open and switch user
3. Try to open ARCitect from other user, see error:

I can click ok and keep working with ARCitect.