Bounceback logout: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(First version)
 
(Added outline implementation)
Line 1: Line 1:
==Proposal==
My original request was:
My original request was:


Line 14: Line 16:


None-the-less, others expressed interest in this feature for use under controlled circumstances.
None-the-less, others expressed interest in this feature for use under controlled circumstances.
==Possible implementation==
A dynamic page as part of the Raven authentication service which accepts a parameter specifying the bounce-back 'logged out' URL.  Basic sanity checks could include that the request and bounce-back are on the same server and that the server is authorised to use Raven.  Stronger protection, albeit with administrative overhead, could be provided by maintaining a mapping of authorised referrers and bounce-back destinations, and only adding those who make a reasonable case for the service.
==Workarounds==

Revision as of 15:54, 9 October 2006

Proposal

My original request was:

I know that the recommened way to logout is to quit the browser. None-the-less it would be handy for my current project (which will be used during our undergrad registration) if my web application could force a Raven logout, before returning to its front page for the next customer.
Is there any chance of offering a 'bounce-back' logout page which will take as a parameter a URL (on the originating host) to which to return?

The application in question is run in a kiosk mode for self-service on-line registration.

Jon replied:

Clearly this _could_ be done. The problem in general is that such a feature will only log the user out of your application and the central Raven server. If that's all that they have authenticated to then that's fine. But in general people will have authenticated to multiple sites and will be left authenticated to all the rest, probably without realising. There is also the issue that, for example, 'protected' content may remain accessible via the browsers 'back' button if the browser is not reset. I'm not sure this is something I'd want to encourage.
There are several ways to provide a 'central logout', but they are all complicated and none can be 100% reliable.

None-the-less, others expressed interest in this feature for use under controlled circumstances.

Possible implementation

A dynamic page as part of the Raven authentication service which accepts a parameter specifying the bounce-back 'logged out' URL. Basic sanity checks could include that the request and bounce-back are on the same server and that the server is authorised to use Raven. Stronger protection, albeit with administrative overhead, could be provided by maintaining a mapping of authorised referrers and bounce-back destinations, and only adding those who make a reasonable case for the service.

Workarounds