The problem you describe is worse than that. If the user leaves the computer with their session to their OpenID Provider active, not only can a stranger access all data at that provider (like Gmail, blog and calendar in the case of Google), but the stranger can log into ANY OpenID RP... not just the one that the earlier user just logged out of.<div>
<br></div><div>And since OpenID doesn't prescribe a way for RPs to automatically log users out of the OPs, the best thing you can do at the RP is after the user clicks "Log Out" to display a noticeable message saying "Don't forget to log out of [OpenID Provider] as well".<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Thu, Jul 23, 2009 at 4:50 AM, zlzc2000 <span dir="ltr"><<a href="mailto:zlzc2001@hotmail.com">zlzc2001@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
Dear Forum ,<br>
<br>
Im developing a OpenID solution using the Java library openID4java. After a<br>
user signed in, I can manage the Logout for my Website. But if the user<br>
klicks the OpenID-login button again, my site redirects the request implicit<br>
to the for example google server wich still has a "open" session. Therefore<br>
goole veryfies my request positive and the user relogs in without giving a<br>
passwort again, wich means that my site<br>
constructs a new session with the old useraccount.<br>
This would be a problem, if someone in a public place logs of the page and 2<br>
minutes later someone else is able to "continue" his session.<br>
I didnt find any API call to finish the session for the OpenID server maybe<br>
someone has a hint for me to resolve this problem ,<br>
<br>
thanks a lot !<br>
<br>
regards,<br>
<font color="#888888"><br>
<br>
<br>
--<br>
View this message in context: <a href="http://www.nabble.com/general-Logout---Signout-Problem-with-OpenID-tp24624173p24624173.html" target="_blank">http://www.nabble.com/general-Logout---Signout-Problem-with-OpenID-tp24624173p24624173.html</a><br>
Sent from the OpenID - General mailing list archive at Nabble.com.<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</font></blockquote></div><br></div>