Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Change the current logout message from:
"You have been automatically logged out. Someone else has logged in with your username and password and the maximum number of @number simultaneous sessions was exceeded. This may indicate that your account has been compromised or that account sharing is not allowed on this site. Please contact the site administrator if you suspect your account has been compromised."
To - my suggested improvement / correction:
"You have been automatically logged out. The maximum number of simultaneous sessions ( @number ) for this user account was exceeded right now. This means that this account was accessed (successfully logged into) from another browser session (or another computer). If this was yourself logging into this same account from a different browser session or device, all may be ok, and no further action is needed.
IF you suspect your account has been compromised by someone else accessing your account without permission, please notify the site administrator(s) about this immediately. If you are uncertain as of how the session limit security function works on this particular web site, ask the site administrator(s)."
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | session_limit__module__.txt | 24.24 KB | Leeteq |
Comments
Comment #2
Leeteq CreditAttribution: Leeteq commented(The main problem with the current formulation is that it may unnecessary scare a non-tech user by starting to "claim" that "someone" else have logged into their account, when it actually just might be they themselves who has logged in on two devices when the default/current limit is set to 1... Having a slightly more descriptive text here, may reduce confusion and even reduce unnecessary or confused questions to the admins.)
Edit: and btw, I filed this as a "bug" instead of a "feature request" because the current wording "Someone else has logged in with your username and password" is incorrect in the quite common situation where the user in question has simply logged in to his/her own account on a second device, and the default session limit provided by the module is 1...
Comment #3
Leeteq CreditAttribution: Leeteq commentedAttached is a modified version of the (v2.2) session_limit.module with my suggestion included.
PS. I replaced both the default text, and its sibling inside hook_help. I noticed that there are more/other formulation variants there, and some of them might have better formulations already than (parts of?) mine. However, this issue is about which formulation is shown on the page where the user has been logged out, not on the help page.
Comment #4
darksnow CreditAttribution: darksnow at Deeson for Deeson commentedThanks for the input on this.
In light of https://www.drupal.org/project/session_limit/issues/2912833 being committed I think this issue no longer applies. The existing message is clear enough and conveys the sentiment and intent of this module, security. While your updated message is fine, it's a matter of the tone of the site it is being used in.
The patch linked above allows the admin to change the logout message so if anyone wants to change the message, they can easily.