OpenID. How do you logout?

OpenID authenticates users to your site, when then starts a session on your site. You destroy or invalidate your site's session separately from the user's session with their OpenID provider.

Up vote 8 down vote favorite 1 share g+ share fb share tw.

On a website I have implemented the login using OpenID (based on StackOverflow). But I can't seem to logout. On my host I can logout but when the user tries to login again (especially with google) the authentication goes through without requiring the user to type in name and password.

How can I indicate to the OpenID Provider that a user is no longer logged into the site? Php web-services openid logout link|improve this question asked Sep 6 '09 at 7:06Loki Astari69.6k779198 91% accept rate.

It's up to the OpenID provider. If you logged out of Google, I'm sure you'd be prompted again. – derobert Sep 6 '09 at 7:12 4 To whoever flagged this as belonging on SuperUser, you're wrong - it's quite clearly a programming question about OpenID implementation in a webapp.

– Amber Sep 6 '09 at 7:12 2 @Dav: Sorry, I read it way too quickly, but unfortunately there isn't a way to undo a close vote. Thankfully, it doesn't matter so long as four other people don't make the same mistake. – derobert Sep 6 '09 at 7:21 No worries, we all make mistakes sometimes.

:) – Amber Sep 6 '09 at 8:16 It's a good idea to check if it's all ok with (sessions|cookies) on your site anyway. – Oleksandr Bolotov Sep 6 '09 at 8:35.

OpenID authenticates users to your site, when then starts a session on your site. You destroy or invalidate your site's session separately from the user's session with their OpenID provider. User visits joewidgets.com" rel="nofollow">joewidgets.com > User logs in with OpenID (with a new or existing provider session) > ... User clicks logout > joewidgets.com" rel="nofollow">joewidgets.com destroys/invalidates the session.

If the user has their OpenID provider keep them logged in, and your system automatically checks, then it will create a new local session. (Un)fortunately, you don't/can't worry about what the user does or does not do at their provider, which is a pro/con of OpenID. There is an argument at Social Lipstick which calls for "Single Sign-Out", but OpenID does not currently provide this function.

That's generally something handled by the OpenID provider - for instance, if the user remains logged into their Google account and checked the box to "remember" the OpenID authorization for your particular site, then the provider will transparently log them in and redirect them back without displaying the login prompt.

This is called Single Logout or Single Sign-Out, which OpenID doesn't support. In my opinion, SSO without logout is a big security hole. Logging out a single site doesn't mean much if others can just get in with a few clicks.

For now, we have to remember the provider. If it's someone we know, we trigger the logout process for them. For Google, the URL is, google.com/accounts/Logout The logout flow is ugly but it does the job.

2 now that's just mean! The reason I like OpenID is that I'm in control, not the site I'm at. Log me out of my gmail, and I'll never visit your site again.

– JasonWoof Sep 6 '09 at 8:33 1 It should ask to logout instead of just logging out. Is that possible? – Alfred Jun 29 '11 at 3:30 Wow!

I absolutely had no idea that google allows logging out with a plain GET request. This is practically a DoS attack waiting for happening (e.g. Iframe with that address will logout site reader from google! ) – Mikko Rantalainen Jan 31 at 11:26.

It's a feature not a bug" The id provider can choose to keep the user authorized for the provider through cookies, and further can choose not to re prompt the user about sharing the same information that was shared previously (with a prompt). So when the user on Site A, asked to be authorized through Site B, and got redirected, Site B first asked for the user to authenticate him or her self. Then Site B asked if it should share any information (and sometimes which information) with Site A.

At this point it will also customarily ask if you want to automatically share this same information in the future. Some providers will assume yes, some no, some won't ask. Site B then redirects to Site A and shares the information, you're now logged in.

If Site A makes a second redirection to Site B to request a login, Site B might 1) Already have a cookie that authenticates the current user of Site B. 2) Already have a record of what information is acceptable to share with Site B. 3) Automatically share this information through a redirect without pausing to prompt the user at all.

This is a feature centered around convenience.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.