Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
How does logout work?
judgej
✭
The documentation describes how authenticate.php supplies user information so that the user can be set up and/or logged into Vanilla. I have set up a test script that just echoes some sample user information, and that works fine.
I have also set up a sample signout.php page that basically does nothing. When I try to sign out of Vanilla, the page is displayed as expected. Now when I go back to Vanilla, the user is still logged in. This happens even if I return a blank page from authenticate.php
I'm using ProxyConnect v1.7. What am I doing wrong? Should the user not be logged out of Vanilla, and then sent to the external application to be logged out of there too? Only the second step seems to be happening.
-- Jason
PS Thinking about it, what should the external application signout page do once the user has been logged out of that application? Is there anyway to send the user back to where they were when they clicked on "sign out", or is the user expected to be sent to some page on the CMS?
Just noticed that the signout URL just replaces the normal signout URL, so the user is simply sent to the external application and left logged into the forum. How does the user actually get logged out of Vanilla?
I have also set up a sample signout.php page that basically does nothing. When I try to sign out of Vanilla, the page is displayed as expected. Now when I go back to Vanilla, the user is still logged in. This happens even if I return a blank page from authenticate.php
I'm using ProxyConnect v1.7. What am I doing wrong? Should the user not be logged out of Vanilla, and then sent to the external application to be logged out of there too? Only the second step seems to be happening.
-- Jason
PS Thinking about it, what should the external application signout page do once the user has been logged out of that application? Is there anyway to send the user back to where they were when they clicked on "sign out", or is the user expected to be sent to some page on the CMS?
Just noticed that the signout URL just replaces the normal signout URL, so the user is simply sent to the external application and left logged into the forum. How does the user actually get logged out of Vanilla?
0
Comments
Vanilla Forums COO [GitHub, Twitter, About.me]
I'll have a play with 1.8 - is that downloadable, or do I need to fetch a nightly?
As for the session... Vanilla is stateless, in that we don't keep serverside sessions. The cookie provides the userid and a hash. If the cookie passes inspection the user is "logged in" for the duration of that page load. Destroying the cookie is all we do during a normal logout anyway.
Vanilla Forums COO [GitHub, Twitter, About.me]
I wonder if a regular check should be made to see if the user is still logged into the external application? Maybe check the authenticate page if there has been no activity in the forum for a certain time? Perhaps just ensuring the user is logged out of the forum as soon as they close the browser (session cookies) would be sufficient?