Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Logout mechanism

Klaus Hueck klaus.hueck at physik.uni-hamburg.de
Wed Dec 12 08:20:05 PST 2012


Dear all,

concerning the missing logout feature in WebAuth we came up with a 
logout mechanism which might work:

  - The Weblogin server creates yet another cookie (WebloginTrackCookie) 
in which all services are listed which requested a token
  - If the user clicks the logout button in any of the services he is 
logged in to, he will be forwarded to the logout site (WebAuthDoLogout 
on) of the service. This logout site again forwards the user via a 303 
http forward to the logout url of the Weblogin server.
  - The weblogin server then looks up the WebloginTrackCookie to check 
if there are still other services the user is logged in to.
  - If so, the user will be forwarded once more via a 303 forward to the 
next logout site and so on and so forth.

Of course this scheme requires that all services have their own logout 
site but - at least in our usage scenario - this is feasible and the 
logout mechanism described above implemented here in our testing system 
works like a charm.

If I remember right, there was already such a scheme proposed but it was 
implemented by means of JavaScript instead of http forwards.

What do you guys think about such an logout mechanism?

With best regards,

Klaus Hueck




More information about the webauth-info mailing list