Authentication tokens: session already active - different user

Overview

See #4463 (closed) and #4462 This improvement issue relates to handling the case where the new user is different to that of the existing session.

if the active session is same user, then no problems. just proceed.
if the active session user differs from the requested user, then you kinda have to choose between:
- killing the old session and starting a new one
- changing the userID of the live session. (but then you're liable to leak session-data in hard-to-predict ways)
- aborting the request

For the already active session with different user - I think it would be ideal to show a prompt and confirm that they want to logout/switch-user.

Edited Aug 03, 2023 by ayduns

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information