Browser logged in or out everywhere

balderclaassen
balderclaassen
Community Member
edited August 2018 in 1Password in the Browser

Hello lovely humans :)

I hope this is the right place, most of this relates to 1PasswordX and the web version, I didn't see a category for the web version.

If I log into 1password web, and I try to open any of the buttons/links there into a new tab, I get prompted for the password again.
However, the Firefox extension (that gets logged in automatically when I log into web) can open new tabs without getting prompted for the password.

I like the convenience of only having to log in once into a browser, not both extension and web, but there's a bit of a catch.
Logging the extension in automatically when I log into web doesn't give any extra privileges, so the convenience doesn't come at at any cost.
The other way around however, If I am logged into the extension only, I can see and use items, but not edit, nor see that vacation mode is hiding vaults.
So in the situation where I am logged into the extension when someone (customs or criminal) gets to my laptop, they can now without the password get to the web version, activate hidden vaults etc. If the extension wouldn’t automatically log in web, or like new tabs opened from web, would prompt the password for every tab opened, that would significantly increase the safety of being only logged into the extension.

I noticed that if I log out of 1password web, the extensions remains logged in.
If I have (3) tabs of 1password web open, and I log out in one of them, a manual refresh of the other tab will prompt a password. However, without a refresh, I can not only read what is currently visible on the page, I can go to my profile, open vaults, look at items, etc, without the website making a check for the fact that I logged out in the other tab.

I would expect that when I click log out, anywhere in my browser, I can safely walk away knowing someone can't use that browser to get at data in 1Password:
1. When I log out on web, I think I would always also want the rest of the browser (the extension) to get logged out. If not, the option to have 1 process for logging both of them out would be nice.
2. If I log out in one tab of my browser, best case scenario, this sends a forced refresh(within a minute or less) to all other 1password tabs in my browser that logs those out as well. I don't know if this is technically doable however it would certainly be nice.
3. Logging out of 1 tab, very good case scenario, I don't really expect the data currently visible on other tabs to be secret/safe. However, I would expect that any further clicks, would check if I am still logged in. On most services (ex. FB), if I log out in 1 tab, any other tab will not load many things any more, and going to a different page will prompt a login. I am guessing in 1password this all runs locally with JavaScript, and doesn't make server requests for any of those clicks, therefore it doesn't have that behaviour. But I assuming it could, maybe not for every click on another item but at least for something like opening a vault from the home screen.

An alternative solution to possible solutions mentioned for the above 3 points is that every minute, or at least every 5minutes, every web tab and browser extension runs a check asking, did the user log out anywhere in this browser ?

Thank you very much for reading my in the end surprisingly long text,
Have a nice day,
Balder

Edit: If I log out of web, or get timed out after 10 minutes from web, so long as the extension is still logged in, I can get right back into web without getting prompted for a password. The 1PasswordX settings page, (moz-extension:// etc.), is also a place from where you can get back into the web version you just logged out of.


1Password Version: Not Provided
Extension Version: 1.10.2
OS Version: Ubuntu 16.04
Sync Type: 1Password

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @balderclaassen: Thanks for getting in touch. I think I mostly understand what you're saying, but I think I may be missing something. Whether you're using 1Password X or the 1Password.com web interface (or the other apps), you always stay "logged in" in the sense that you don't have to re-sign into your account from scratch every time you want to access your data (unless you intentionally log out), but 1Password should "lock" (and therefore require your Master Password) automatically when you're not using it (again, unless you prevent it from doing so, by disabling the autolock feature). Are you saying that's not working correctly on your machine? It sounds like you're suggesting that 1Password somehow log you out across all instances on all devices when you close it on one. I may just be misunderstanding though. Thanks in advance for any clarification! :)

  • balderclaassen
    balderclaassen
    Community Member

    Thanks for the reply. It helps get a better idea of how its intended to work.

    The first part of my post I was basically arguing that there is a security benefit to a situation where login in to the extension doesn't also log you into 1password.com. Especially concerning vacation mode which is based around someone accessing your 1password, but not the web version.
    But, well as I understand it now that is indeed not the choice you're making, which is absolutely fine.

    Another thing I noticed, is that if I click open in new tab in 1password.com that other tab prompts me for a password. Even though I am opening this tab from a logged in tab.
    However, a workaround, opening new tabs from 1PasswordX never prompts for a password, so that's a bit inconsistent. That is inconvenient when you for example want to have 2 vaults open at the same time in two tabs and can't just do that from the web version.

    Now as for logging out. I certainly don't expect 1Password to log me out of other devices when I log out (nor is it doing that.). Logging me out of other instances on the same device, is probably not technically reasonable either, nor always going to be desired. However when I log out on 1password.com or lock 1passwordX, I would assume that that browser, on that device, is then logged out. Which it doesn't, for me.
    I would prefer a way to log out both extension and 1password.com for that browser in one go. Just as the login process also logs in both of them at once.

    Additionally, if log out of a browser tab, I generally assume, other tabs in the browser for the same website will become rather static. In 1password however, no such security seems to be build in. Going to a different page within a tab doesn't make a check if I am logged in.
    I have always considered how websites turn static like that a security thing, but now I see maybe that's just an unintended side effect of those websites constantly making calls to the server for just about anything, and 1Password doesn't do that.
    Can 1Password see several logged in tabs in one browser as being the same session ? If so I think it would be safer if those tabs would either regularly, or when a new page is requested to be opened, check if that same session has actually logged out. Or instantly when a logout happens in that browser/session.
    (As I am writing this I realize you make this same check with the lock system. After a certain amount of minutes it automatically logs you out of the web on any tabs that haven't been active. But if the same browser session clicks logs out, it doesn't make that check.)

    Well and the timer on the 1password.com lock is circumvented by 1PasswordX if its lock timer is higher, I was confused about that, but I can see how it makes sense now.
    I guess that timer is more useful when someone logs into 1password.com but doesn't have the browser extension.

    Again, thanks for reading in advance ^ ^

  • AGAlumB
    AGAlumB
    1Password Alumni

    Thanks for the reply. It helps get a better idea of how its intended to work.

    @balderclaassen: Sure thing! :)

    The first part of my post I was basically arguing that there is a security benefit to a situation where login in to the extension doesn't also log you into 1password.com. Especially concerning vacation mode which is based around someone accessing your 1password, but not the web version. But, well as I understand it now that is indeed not the choice you're making, which is absolutely fine.

    Nevertheless, you raise a good point. The main issue is that even if there were a way to have 1Password.com require separate login from 1Password X in the browser, you'd then not be able to edit, since 1Password X depends on 1Password.com for that. But if we can add a full editor to 1Password X itself in the future, this is something worth considering. Thank you!

    Another thing I noticed, is that if I click open in new tab in 1password.com that other tab prompts me for a password. Even though I am opening this tab from a logged in tab.

    However, a workaround, opening new tabs from 1PasswordX never prompts for a password, so that's a bit inconsistent. That is inconvenient when you for example want to have 2 vaults open at the same time in two tabs and can't just do that from the web version.

    Well, if you open both vaults from 1Password X directly, then they'll both already have a session and behave the way you expect. However, while I disagree that it's inconsistent (1Password X can open the site using its own session), you're right that it can be a bit confusing. I'm having trouble squaring this perspective with the previous one though. Would you prefer that 1Password X be completely separate from 1Password.com, and therefore the website will always require login; or do you want 1Password.com to always use 1Password X's login session when it's unlocked? To be clear, I don't disagree with either of these myself. Perhaps that's why it's not easy to say "this is the way it should be" and work through the technical challenges toward that goal.

    Now as for logging out. I certainly don't expect 1Password to log me out of other devices when I log out (nor is it doing that.). Logging me out of other instances on the same device, is probably not technically reasonable either, nor always going to be desired. However when I log out on 1password.com or lock 1passwordX, I would assume that that browser, on that device, is then logged out. Which it doesn't, for me. I would prefer a way to log out both extension and 1password.com for that browser in one go. Just as the login process also logs in both of them at once.

    Thanks for clarifying! That makes perfect sense. I'm not sure it's feasible at this time, but something worth considering. But again, we're kind of trying to have it both ways here. Are 1Password X and 1Password.com the same thing? Definitely not. 1Password X can though, as you pointed out, open 1Password.com in a browser tab using its own session. If they operated together fully, that would pose a problem for your Travel Mode example above: you would not really be able to use 1Password X if you enabled Travel Mode through the website. I agree it's a bit confusing, and that we should try to do better. I'm just not sure what the solution is when neither of us can agree with ourselves. :lol:

    Additionally, if log out of a browser tab, I generally assume, other tabs in the browser for the same website will become rather static. In 1password however, no such security seems to be build in. Going to a different page within a tab doesn't make a check if I am logged in.

    I'm not following you here though. When you go to Amazon, after you login, do you have to do so again each time you navigate to a new page? No, and generally that's what people expect. I think maybe it's more helpful though to think about 1Password.com in different terms: an app, because that's really what it is. When you visit 1Password.com, the code is downloaded and run in your browser locally. Apart from the fact that different technologies are used, it's essentially the same as 1Password for Mac, etc. in that regard. If you unlock 1Password for Mac, should it require you to "login" again each time you go to a different "page" — say, to view another item's details? That wouldn't be a great experience, and wouldn't offer any real benefit, so it isn't the way any of our apps work. And 1Password.com, while limited in some ways due to the nature of the technologies available today, is intended to be as close to that as we can make it. Does that angle help?

    I have always considered how websites turn static like that a security thing, but now I see maybe that's just an unintended side effect of those websites constantly making calls to the server for just about anything, and 1Password doesn't do that.

    Indeed, I think this may be the lynchpin: since 1Password.com is a full web app running locally on your machine, it only really needs to talk to the server for purposes of fetching (or sending) new data to it. To be sure, it's more of a "thin client" given it doesn't cache data locally (like the native apps), but the whole thing — UI, crypto, etc. — is running on your machine, not on our server. That's why it's not always as snappy as we want it to be on less powerful machines.

    Can 1Password see several logged in tabs in one browser as being the same session ? If so I think it would be safer if those tabs would either regularly, or when a new page is requested to be opened, check if that same session has actually logged out. Or instantly when a logout happens in that browser/session.

    I don't think that's possible, as each tab is in an isolated sandbox in the browser, in this case running the 1Password.com web app. I get what you're saying, but I believe that it would be worse for security, not to mention that we can't break the browser's sandbox. Certainly this is different from other websites, but they use things like cookies for session state, which is all managed on their server. The opposite is true for 1Password.com.

    (As I am writing this I realize you make this same check with the lock system. After a certain amount of minutes it automatically logs you out of the web on any tabs that haven't been active. But if the same browser session clicks logs out, it doesn't make that check.) Well and the timer on the 1password.com lock is circumvented by 1PasswordX if its lock timer is higher, I was confused about that, but I can see how it makes sense now.

    I guess that timer is more useful when someone logs into 1password.com but doesn't have the browser extension. Again, thanks for reading in advance ^ ^

    I can definitely see how it can be confusing, but hopefully my explanations above helped. Indeed, 1Password.com doesn't "circumvent" 1Password X; they're completely separate apps with different functions, code, and use cases. But I agree that it could be nice if we can make them work more seamless together in the future — or not, depending on what ends up making the most sense after weighing the pros and cons of the suggestions you made above. Not a simple topic, so I appreciate you taking the time to share your thoughts on all of this! :)

This discussion has been closed.