<HTML>
<HEAD>
<TITLE>Re: [OpenID] What about Logout?</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>I’m not familiar with “Session Sync”, but it sounds like you’re asking if Facebook contacts each of the RPs to tell them that the user is now logged out?<BR>
<BR>
The answer is no – on logout, Facebook just deletes its Facebook cookies. It’s up the RPs (applications, in our terminology) to check with Facebook at their next convenience. In practice this means that there’s usually a lag of about one page load. This isn’t great, but it’s a reasonable compromise for the user experience.<BR>
<BR>
On 4/8/09 12:14 PM, "Martin Atkins" <<a href="mart@degeneration.co.uk">mart@degeneration.co.uk</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
<BR>
Am I right in thinking that in Facebook Connect's case this works with<BR>
the "Session Sync" functionality so that once you log out of Facebook<BR>
you're immediately logged out of sites that make use of session sync?<BR>
<BR>
In order to do this effectively with OpenID we'd need an equivalent<BR>
Session Sync system.<BR>
<BR>
Luke Shepard wrote:<BR>
> I agree, logout seems to be more and more important for a full single<BR>
> sign-on / sign-out experience. We found with Facebook Connect that we<BR>
> had to offer RPs the ability to log the user out of Facebook, for<BR>
> consistency.<BR>
><BR>
> Consider this: the user goes to the RP, clicks the “login” button, and<BR>
> then a popup comes up onto their OP. The user happily enters their<BR>
> credentials, popup closes, and they’re in. Great! Then they hit “logout”<BR>
> on the site they’re on, and go on their way. But if this is a shared<BR>
> terminal, then they still have a cookie onto their OP, which leaves them<BR>
> exposed. A better solution would be to let the RP log them out of their<BR>
> provider.<BR>
><BR>
> There are workarounds, some of which were suggested by Allen in previous<BR>
> threads – for instance, having a short cookie timeout, trying to detect<BR>
> recent activity, etc, but none are quite as clean as a solid logout trick.<BR>
><BR>
> I think it would be relatively easy to add to the next spec. We could<BR>
> add an additional mode or two - say, “logout_setup” or<BR>
> “logout_immediate”. They would be behave the same as checkid_immediate<BR>
> and checkid_setup, except in reverse – the RP must supply the correct<BR>
> user credentials, and the OP can then log them out and return only<BR>
> “success” or “failure”.<BR>
><BR>
><BR>
> On 4/8/09 7:05 AM, "Santosh Rajan" <<a href="santrajan@gmail.com">santrajan@gmail.com</a>> wrote:<BR>
><BR>
><BR>
><BR>
> If an RP wants to logout the user not only from his site, but also<BR>
> from the<BR>
> OP, there is no easy way for him to do it. Currently it is a pain.<BR>
> He needs<BR>
> to figure how to log out from each OP himself, while most OP's<BR>
> havent even<BR>
> documented this.<BR>
> Eg. This is the Google Logout URL.<BR>
> <a href="https://www.google.com/accounts/Logout">https://www.google.com/accounts/Logout</a><BR>
> This is Yahoo's undocumented Logout URL.<BR>
> <a href="https://login.yahoo.com/config/login?logout=1">https://login.yahoo.com/config/login?logout=1</a><BR>
><BR>
> Maybe we need to address this in 2.1? Like the OP may provide the<BR>
> Logout URL<BR>
> in the discovery itself along with the endpoint URL?<BR>
> --<BR>
> View this message in context:<BR>
> <a href="http://www.nabble.com/What-about-Logout--tp22951181p22951181.html">http://www.nabble.com/What-about-Logout--tp22951181p22951181.html</a><BR>
> Sent from the OpenID - General mailing list archive at Nabble.com.<BR>
><BR>
> _______________________________________________<BR>
> general mailing list<BR>
> <a href="general@openid.net">general@openid.net</a><BR>
> <a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
><BR>
><BR>
> ------------------------------------------------------------------------<BR>
><BR>
> _______________________________________________<BR>
> general mailing list<BR>
> <a href="general@openid.net">general@openid.net</a><BR>
> <a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
<BR>
_______________________________________________<BR>
general mailing list<BR>
<a href="general@openid.net">general@openid.net</a><BR>
<a href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>