[OpenID] What about Logout?
sysadmin at shadowsinthegarden.com
Thu Apr 9 00:55:55 UTC 2009
>As far as the end user is concerned, they only logged in ONCE.
>But in reality TWO logins happened: one at the OP and one at RP1.
Perhaps a delayed Redirect at the OP to show them "You are logged in
at this site for that RP.", giving them a couple of seconds to see
this notification before automatically proceeding? I don't know if
all browsers would support this, though (or if scripting would need
to be enabled). The risk I see is that a RP can simply misrepresent
to the user what happened, showing a report that the OP had logged
that user out, while actually telling the OP no such thing. To give
the user a reliable basis on which to make such assumptions, they
should be visiting their OP each time they log out, to see this
confirmed - and then click once more to be sent back to where they
would have gone at the RP.
More information about the general