Issues with single sign out

[Dick Hardt]

implementation issues:
-------------------------------
* clearing session cookies
most application environments set a cookie to manage who the user is  
and if she is logged in. The straightforward method for logging a  
user out is to clear the cookie. Since cookies are stored on the  
browser, the site needs to be interacting directly with the browser  
to clear the cookie (some browsers can let you clear cookies in a  
different domain, but not all of them). This means bouncing the user  
to each RP to get them to clear the cookie, and any of the RPs can  
abort the processing by not handing control back to the OP. This  
approach also is ugly. There may be a better way to do it, but we did  
not think of one, and stopped working on it as we came to the  
conclusion that the feature was really not what we wanted in the UX.

user experience issues:
--------------------------------
* differentiating between logging out of the site and logging out of  
all OpenID sessions
Having a new link/icon for logging out overloaded users. They were  
not sure which thing did which. When clicking [sxip out], they  
understood what happened, but wanted to know how to just logout of  
the site.

Given all the above, I don't think single sign out is practical or  
useful. Happy to be proven wrong though, so if someone wants to write  
an extension for single sign out, go for it!

-- Dick