Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

How does logout work?

judgejjudgej
edited September 2010 in Vanilla 2.0 - 2.8
The documentation describes how authenticate.php supplies user information so that the user can be set up and/or logged into Vanilla. I have set up a test script that just echoes some sample user information, and that works fine.

I have also set up a sample signout.php page that basically does nothing. When I try to sign out of Vanilla, the page is displayed as expected. Now when I go back to Vanilla, the user is still logged in. This happens even if I return a blank page from authenticate.php

I'm using ProxyConnect v1.7. What am I doing wrong? Should the user not be logged out of Vanilla, and then sent to the external application to be logged out of there too? Only the second step seems to be happening.

-- Jason

PS Thinking about it, what should the external application signout page do once the user has been logged out of that application? Is there anyway to send the user back to where they were when they clicked on "sign out", or is the user expected to be sent to some page on the CMS?

Just noticed that the signout URL just replaces the normal signout URL, so the user is simply sent to the external application and left logged into the forum. How does the user actually get logged out of Vanilla?

Comments

  • Options
    TimTim Operations Vanilla Staff
    1.8 has a much more robust logout mechanism. In 1.7 and prior, our remote plugin was doing the work of unsetting cookies etc.

    Vanilla Forums COO [GitHub, Twitter, About.me]

  • Options
    Ah right, so the Vanilla cookie was being removed completely rather than the user being logged out. The session is still there on the server, but the key to access it has been thrown away.

    I'll have a play with 1.8 - is that downloadable, or do I need to fetch a nightly?
  • Options
    TimTim Operations Vanilla Staff
    1.8 isn't available yet, not even via source control. I'll be working on ProxyConnect next week and should have something available then.

    As for the session... Vanilla is stateless, in that we don't keep serverside sessions. The cookie provides the userid and a hash. If the cookie passes inspection the user is "logged in" for the duration of that page load. Destroying the cookie is all we do during a normal logout anyway.

    Vanilla Forums COO [GitHub, Twitter, About.me]

  • Options
    Thanks. That makes things a little clearer. I'll go with that for now and look forward to next week's treats :-)
  • Options
    Just running tests using some simple signin/signout/authenticate scripts, and I noticed that it is possible for the session with the external application to expire while leaving the user logged into the discussion forum. So long as the user does not click "signout" then they will remain logged in for as long as the cookie lasts.

    I wonder if a regular check should be made to see if the user is still logged into the external application? Maybe check the authenticate page if there has been no activity in the forum for a certain time? Perhaps just ensuring the user is logged out of the forum as soon as they close the browser (session cookies) would be sufficient?
Sign In or Register to comment.