Expected: I log into any public atlassian.com subdomain related to services associated with my atlassian account. All atlassian.com subdomains should accept the identity I established in that session. I log out of one atlassian.com subdomain, they all should log out.
Actual: I log into atlassian.com. If I click "Atlassian support" from that page I am sent to "support.atlassian.com" under which I am not logged in. If I log in both places then log out of one, I will remain logged into the other.
Other info
- I recommend this fix. I don't have time to explicitly confirm which systems honor the same login credentials. My bitbucket, confluence and jira use different domains altogether (atlassian.net, bitbucket.org). I recommend someone needs to step back and review the larger system in these regards. That is, (1) consider all these domains and services, (2) map out which honor login sessions from others, (3) consider how they should work together and (4) make it so.
- As is, the UI is very subtle about this important change in status. So many prominent marketing messages about services I don't care about. Compare that to the subtle change of my icon in the upper-right corner from my profile icon to "log in". Consider that this status change dramatically impacts what I see when I search sites like support.atlassian.com. If I don't see a support resource due to "not logged in" and I don't know I am not logged in, I leave with something worse than "no answer". I leave being misled to conclude an incorrect answer.
- Consider the danger of misunderstanding my login status. I intend to log out of all Atlassian services, but I only logged out of support. Why would I assume one logout would be sufficient when the system clearly forces me to log in for two different atlassian services?
- Users don't and should not need to count "how many different sessions do I have with this service?" This is one reason why. It is common (and good practice) for systems to verify user identity again during a valid session when that session attempts something that is deemed an elevated security risk (like changing contact or payment info). This expectations prevents users from considering "how many different login sessions did Atlassian force me to start. I need to shut them all down".
- Design says "one service" but session manager says "two". Atlassian support's branding and site design are very similar to the sites that use their own session manager. The similarity signals to users "these are the same system" and conclude "they use the same session manager".
