It is very common for teachers to share a login within a SIS application (seating chart, grade book, in our case Zoom integration). The easiest example is when a teacher is out at the beginning of the school year, and the year begins with a substitute teacher.
When a teacher authenticates through Zoom, we keep their refresh_token so they only have to auth once. Sometimes they may need to auth again, under some circumstances, but ideally only once. In the above situation, when the teacher was not the first to make that connection, we offer the ability to essentially invalidate the refresh_token so they can start fresh. This works, mostly.
Where it doesn’t work is the frustrating part. If they happened to share a computer, and both love the same browser, the zoom.us site maintains a cookie that remembers the first user. Even if the first user manually logs out from zoom.us, that cookie remains.
In this situation, if the second teacher begins the authentication process, the zoom.us cookie, even if the first user logged out, still remembers that first user. It then skips the authentication process, re-authenticating the first user.
I don’t really care so much about the alarming security issue there. I am more concerned about these teachers not being able to authenticate. Sure, there are two workarounds:
- Clear browser cookies - This is an annoying process for users
- Use a different browser, or a fresh incognito window.
For now we are going with #1. But really, if a user logs out of zoom.us, it shouldn’t maintain a cookie that allows authentication to be skipped even if the user is logged out.
I am looking for other ways to get around this, but figured I’d raise the flag.
