If logged in on a network site, log the user in on all other network sites

Platform(s), such as mobile, website, API, other: Website

URLs (aka web addresses) of any pages, if relevant:

Description of need:
If a user logs in on one of the iNaturalist network sites (in this example, iNaturalist.ca), they would still be signed out on every other network site (They would be considered as logged out on iNaturalist.org, even if they are signed in on iNaturalist.ca)

This can create minor irritations (if that is the right word) when linking to something (an observation, a photo, etc) in a comment, journal post or any other means of public writing on one of the iNaturalist sites

Feature request details:
Similar to how Wikipedia logs the user in to all Wikimedia resources upon logging into just one of the Wikimedia sites, If a user is logged in on any of the iNaturalist sites (iNaturalist.ca, iNaturalist.ala.org.au, etc), allow the iNaturalist system to log the user into all other iNaturalist sites (If a user logs into iNaturalist.org, they would be logged into iNaturalist.ca, iNaturalist.ala.org.au, and every other version)

I don’t know how technically feasible it is, but it would certainly make my job easier.

Great idea!
I log in to inaturalist.org, but often follow links to observations on the Australian site and can’t ID or comment because I’m not logged in to it.

I also find this inconvenient, but (if my understanding of the underlying technologies is correct) this is unlikely to be easily fixable.

I may be oversimplifying, but the ability to have a consistent identity when moving from page to page within a particular website relies on identifying the user via a “session cookie” stored temporarily in the user’s browser. When a user logs in at https://www.inaturalist.org/ and then navigates to https://www.inaturalist.org/observations or https://www.inaturalist.org/observations/identify, each subsequent page uses that session cookie to identify the user. The same happens to users logging in at https://www.inaturalist.ca/.

So, why can’t iNat just use the same session cookie across all network sites? That’s a protection built in to Internet standards and all browsers. Session cookies are restricted to the domain that issued them and any subdomains. Imagine if you logged into mybank.com and also opened a tab for dodgydownloads.com. If the second site was able to access your session cookie from mybank.com it could impersonate you and drain your bank account.

So… are there any ways around this? Possibly. There are techniques that would allow a site to store session details on the server side and then interrogate these when a user later wanted connect to another site in the same network. If you have used a big corporate site, such as an insurance company, you may have seen this kind of capability in action.

But there are big downsides: doing this opens up a bunch of new ways that an attacker could compromise an iNat account; the extra complexity means a bunch more stuff that could go wrong and possibly take iNat offline while it’s being fixed; and I suspect the effort required is something we would al prefer to see applied to fix other things in the iNat experience.

The neatest way to fix this would be to follow Wikipedia’s approach and move all the iNat network sites to URLs under the inaturalist.org domain (e.g. ca.inaturalist.org, etc.), but I suspect a lot of people value the national identity of their home network’s URL above the ability to switch to other iNat network sites without logging in again.

this other thread may be relevant: https://forum.inaturalist.org/t/stay-within-your-inat-network-affiliation-domain-when-clicking-links-to-other-inat-network-sites/6898

Aren’t the same observations also on the main site? You have to adjust the URL, which I agree is annoying and feels redundant, but you can get there. Would it work to have a redirect function to redirect you to the same observation on the main site if you are coming from the main site?

Yes, sorry, the problem isn’t really that I “can’t” add comments or IDs. Yes, I have to change the URL, after seeing the notice that I can’t add comments or IDs because I’m not logged in. So it is an annoyance rather than a real obstacle. And the people leaving the links with different URLs in comments on my observations wouldn’t know which site I’m accessing it through, so would have no idea that I face that (minor) inconvenience following their link.

Does it work the other way? Are people logged in to ALA or other regional sites able to access the main site or do they get a message telling them they are not logged in?

It would be nice if there could be some sort of automatic URL editing/redirection to adjust to whichever site the user was logged in to, but I was unaware of the cookie issues Rupert explained above, so perhaps living with the inconvenience is the least troublesome option.

@Vireya just log in to the other domain as well, it’s the same site just different domains. But if they had an auto renaming feature enabled you wouldn’t have to.

Thanks, Reiner. I had a situation where the password I had stored on my machine for ALA was different to the one stored for iNat, so logging in to ALA wasn’t working. But I think I’ve fixed that now so I will try keeping myself logged in to both sites.