Search Mailing List Archives
klaus.hueck at physik.uni-hamburg.de
Wed Dec 12 08:20:05 PST 2012
concerning the missing logout feature in WebAuth we came up with a
logout mechanism which might work:
- The Weblogin server creates yet another cookie (WebloginTrackCookie)
in which all services are listed which requested a token
- If the user clicks the logout button in any of the services he is
logged in to, he will be forwarded to the logout site (WebAuthDoLogout
on) of the service. This logout site again forwards the user via a 303
http forward to the logout url of the Weblogin server.
- The weblogin server then looks up the WebloginTrackCookie to check
if there are still other services the user is logged in to.
- If so, the user will be forwarded once more via a 303 forward to the
next logout site and so on and so forth.
Of course this scheme requires that all services have their own logout
site but - at least in our usage scenario - this is feasible and the
logout mechanism described above implemented here in our testing system
works like a charm.
If I remember right, there was already such a scheme proposed but it was
What do you guys think about such an logout mechanism?
With best regards,
More information about the webauth-info