Bounceback logout
Proposal
My original request was:
- I know that the recommened way to logout is to quit the browser. None-the-less it would be handy for my current project (which will be used during our undergrad registration) if my web application could force a Raven logout, before returning to its front page for the next customer.
- Is there any chance of offering a 'bounce-back' logout page which will take as a parameter a URL (on the originating host) to which to return?
The application in question is run in a kiosk mode for self-service on-line registration.
Jon replied:
- Clearly this _could_ be done. The problem in general is that such a feature will only log the user out of your application and the central Raven server. If that's all that they have authenticated to then that's fine. But in general people will have authenticated to multiple sites and will be left authenticated to all the rest, probably without realising. There is also the issue that, for example, 'protected' content may remain accessible via the browsers 'back' button if the browser is not reset. I'm not sure this is something I'd want to encourage.
- There are several ways to provide a 'central logout', but they are all complicated and none can be 100% reliable.
None-the-less, others expressed interest in this feature for use under controlled circumstances.
Possible implementation
A dynamic page as part of the Raven authentication service which accepts a parameter specifying the bounce-back 'logged out' URL. Basic sanity checks could include that the request and bounce-back are on the same server and that the server is authorised to use Raven. Stronger protection, albeit with administrative overhead, could be provided by maintaining a mapping of authorised referrers and bounce-back destinations, and only adding those who make a reasonable case for the service.
Workarounds
Andrew Thornton suggested using an iframe, and Jon concurs:
- It's possible that in this case something based on an iframe or a meta-redirect or even a new window, perhaps with a spot of JavaScript, to https://raven.cam.ac.uk/auth/logout.html as suggested by Andrew Thornton could provide a satisfactory solution. In the end _you_ have to decide is satisfactory for _your_ users.
Julian King suggests investigating kiosk modes on Firefox to handle the clearing of cookies:
- If this is for something with a kiosk mode, for example, which could limit thte exposure for other websites, then wouldn't it be better to either restart the browser, or to add some functionality with wiped out all the cookies on the browser. As I understand it the latter should be relatively easy on firefox given some of the other plugins that exist.
I haven't had time to follow up on these suggestions yet, but will update this page if/when I do. For the moment, we're running Firefox in a loop and instructing users to exit from the browser on completion. Most of them even managed to do so...
--mjg17 17:01, 9 October 2006 (BST)