One account can access the other's even if logged out

Youdontwannaknow said:

Now the scary part: User B suddenly can see User A's email and is able to change it!

A and B are my wife and me, so no worries, but this scenario should not be possible, right?

This is not Garmin's fault, though. It is fault of your browser storing the logins and passwords for diverse websites. It will happen to any website requiring a sign-in, unless you disable the storing of login credentials in browser's settings.

If you share your computer with other people, you should not let them use your OS account, and if you do, then you should definitely disable the saving of your passwords, in the browser.

I disagree.

Garmin saving a login for the Connect website is one thing, especially if they asked the user to do so, and the user agreed. The browser saving credentials for Connect is another thing. Those are both acceptable.

What's not acceptable is if I log into Connect as User B, Connect tells me I'm logged in as User B (as implied in OP), but Connect also shows me data for User A. This seems to be evidence of a badly coded site. Either the site is showing cached data from User A, or it's accepting cached credentials for User A, even after User B successfully logged in [I assume].

Logging in as User B should invalidate any traces of the previous login for User A, other than saved credentials in the browser. Even if User A checks the "remember me" checkbox (which should preserve their login across sessions), clearly their login should be invalidated if User B logs into Connect on the same browser.

Note: I am excluding the edge case where sites like google allow you to log in as multiple users at the same time, in a supported manner. Clearly that's not what's happening here.

I don't agree.

Logging out of an account should log you out.

Logging in with another account should log you out of the first one. 

Being able to jump directly from a logged in account to a logged out account without entering any credentials would be considered a major security issue. 

Exactly. Moreover, after changing an account email, the old email continues to receive mails from Garmin Forum. Not the same issue, but security obviously is screwed up here. 

> So I repeat what I wrote - it is not Garmin's fault, it is a problem of the settings in your browser.

You seem to be assuming that the browser is either prefilling the credentials for User A or remembering User A's login via cookies or session storage, so that User B is actually logging in as User A while mistakenly thinking they were logged in as User B.

But that's not what I understood from the OP: what I understood is that User B logs in as User B, but they're able to see User A's account information.

This may or may not be what is happening, but just because you can't reproduce it, does not mean it isn't happening to OP.

There have been a handful of reports over the years of users seeing activities belonging to other accounts (completely unrelated, certainly not associated with the same device), so idk why it's impossible to believe a similar bug couldn't be happening here. Right on the sidebar of this thread, there's a link to a 14-year old topic: "Garmin Connect keeps logging me into other people's accounts".

I wasn't around back then, but I do remember similar reports from more recent years.

If the OP sees an email address prefilled in the sign-in form, then it is definitely a problem of the browser. Garmin's website does not do that automatically

> If the OP sees an email address prefilled in the sign-in form, then it is definitely a problem of the browser. Garmin's website does not do that automatically

But OP did not say that

The rest of my post is in a pastebin bc garmin hates us and doesn't want us to use the forums ever again

https://pastebin.com/hGMH9HZr

Hold it - it seems that we are describing different issues here.

I am sure you can reproduce this issue if you have more than one accout. I have reproduced in in Chrome and Edge. And I have reproduced it without the "remember me" as well.

This is the flow:

User A: Log in to connect.garmin.com on the web. Logs out.

User B: Log in to connect.garmin.com on the web. Go Profile and Account (top right corner) --> Account  Settings --> Account Information --> Change email.

Now user B sees User A's email.

This should not be possible. User B should see user B's email, not some other user that maight have used the browser before.

Having said all of that, I cannot reproduce the problem either, but I can think of another possible explanation.

In between the time that User A and User B logs in, does anyone use the Garmin forums?

There's a quirk where the Garmin forums and the Connect website apparently require separate logins, but they actually share the same login. This can lead to some unexpected behavior. e.g.

- I log into the Garmin forums as User #1

- I navigate to Connect, which asks me to log in, giving me the impression that it's a totally separate login from the forums: I log in as User #2

- Now if I go back to any open forums tabs, they will have *silently* been switched to User #2

So I have to ask: when User B logs in as User B, are they 100% sure they successfully logged in as User B? You could try to verify this by changing your avatars (if you haven't done so already), so User A and User B have completely distinct avatars, and it's 100% clear who's logged in.