[OpenID] What about Logout?

SitG Admin sysadmin at shadowsinthegarden.com
Thu Apr 9 00:55:55 UTC 2009

>As far as the end user is concerned, they only logged in ONCE.
>But in reality TWO logins happened: one at the OP and one at RP1.

Perhaps a delayed Redirect at the OP to show them "You are logged in 
at this site for that RP.", giving them a couple of seconds to see 
this notification before automatically proceeding? I don't know if 
all browsers would support this, though (or if scripting would need 
to be enabled). The risk I see is that a RP can simply misrepresent 
to the user what happened, showing a report that the OP had logged 
that user out, while actually telling the OP no such thing. To give 
the user a reliable basis on which to make such assumptions, they 
should be visiting their OP each time they log out, to see this 
confirmed - and then click once more to be sent back to where they 
would have gone at the RP.


More information about the general mailing list