Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve got a very simple DotNetOpenAuth implementation working for my MVC4 site (Google only).
The trouble is, if I (1) log in to my site using Google and then (2) log out of Google, I still remain authenticated on my site.
Is this by design? I’m new to OpenId so I’m a bit confused. Surely users will expect that if they sign out of Google that will end all their associated OpenId sessions?
Yes.
It would cause havoc for websites if other websites could just go and alter their session states when a user logs out of gmail (in this example). What if you were half way through executing a DB/SQL update script that requires the user_id from your session, and all of a sudden it’s not there because the user just logged out of the gmail account? You’d have scripts falling over all over the place. Or what if they have 2 gmail accounts and log out of one account to check their mail in the other account. Bam, their logged out of all other sites. I think not 🙂
When a user “logs in” onto a site using a 3rd party credential provider, it is still their responsibility to log out of both sites if they want to.