Authentication Across Browser Tabs/Windows
How do I use the same authentication session across multiple browser windows/tabs (multiple WApplication sessions)? After logging into a Wt application using the built-in AuthWidget and navigating to a page that also requires authentication by right-clicking on the link and doing "Open In New Window" or "Open In New Tab", you are forced to log in again. This is not desirable and is inconsistent with how typical web apps are written.
Is there a simple solution to this that I am not seeing in the docs?
A hacky workaround I found is to check "Remember me for 2 weeks".. but this should not be necessary and presents problems of its own. Namely that logging out on one of the tabs (WApplication session) leaves all the other tabs (WApplication sessions) still logged in. You must log out of each one independently. This could even qualify as a security risk because a user might think they are logged out when they are really not.
I do understand the need/implicit design reasoning for using multiple WApplication sessions for multiple tabs. WServer::post() wouldn't know which tab to push to if they all had the same WApplication::sessionId. But I don't know the internals of Wt enough to provide a solution. Couldn't the authentication browser-session (and/or cookie --- though not to be confused with the 'remember me' cookie) details be shared across WApplication sessions? I'm unsure even then if a log-out on one WApplication session would trigger a log-out on the other, since (correct me if I'm wrong) the only time Wt checks said values is on AuthWidget::processEnvironment(). I might be wrong here... that might only be for 'remember me for 2 weeks' cookies (and the registration verification, though that isn't relevant). I clearly don't understand the Wt internals enough to really help... but that's my best guess.
I think you've identified a reasonable feature that is not part of Wt::Auth.
We probably need to use a different token, stored in a cookie which has "session scope" in the browser and which can be used to track the user during a single (browser) session in different tabs. Logging out would then invalidate this cookie.
As you indicate this does require that other sessions can be notified somehow that they should be logged out. Because I wouldn't want to rely on server push for this (inter-session communication is only straightforward if all sessions run in a single executable anyway), but rather on a auth function that could be called from within WApplication::notify() which performs the check to logout the user based on a lack of the cookie from the current request.
If you're interested in tracking this feature, perhaps you can add this feature to the tracker ?
What can we use as a temporary workaround in the meantime?
A workaround is not straight forward: you will need to use a cookie to identify different sessions running a same window, associate a login-state with this cookie (e.g. in a database) and then check in notify() that the current user is still logged in.
The unfortunate thing is that we do not allow access to the current request in WApplication::notify() which would allow you to simply check the current cookies.
As a real solution, we are currently revisiting how we structure sessions from the same browser, allowing direct communication between different 'sessions' of a same user. This would allow actively logging out the user from the other tabs. This change also solves some other issues / feature requests.
Is there any timeframe for such functionality to be implemented?