I'd be pretty annoyed if I log out of Stack Exchange on my laptop and some time later discover that my phone's been kicked out of my Google account, causing me to miss urgent emails, chats, have unsynced Google Docs, etc. They are completely logged out of their SSO provider Usability
Some reasons that I'm not comfortable with After logging out of SE, my gmail tab continues to work.(which I assume is delete-local-browser-cache vs invalidate-serverside-session). It is my choice whether to only log me out of this device, or all devices.It shows that I will be logged out of all Stack Exchange domains.There's probably no right answer here, but I'll advocate that "Log Out" only applies to your site. This can be a technical limitation due to the technologies involved (and/or licenses) (usually mitigated with short session times / cookie lifetimes). but there is no implicit logout to all systems in the SSO. When a user does a logout, inform the SSO provider and do not allow any new sessions and logout of the current application.When a user does a Logout, immediately invalidate ALL sessions for this user and log him/her/it out from any and all systems part of the SSO.(mostly used in the context of an intranet or similar environment)įrom a security standpoint I have observed the following arguments: When I press logout on Site a I actually only get redirected to Site b (the portal) and only when I log out form there I am actually logged out.When I logout on Site a I only logout form here and I can keep on using the other locations I am still logged into.This is one of those places usability and security cause radically different answers.įrom a usability standpoint I have observed the following arguments:
0 kommentar(er)
