Please upgrade here. These earlier versions are no longer being updated and have security issues.

How to make single logout with SSO by jsConnect?

KhroneKhrone New
edited August 2012 in Vanilla 2.0 - 2.8

Hi,

I have a site "a.com" and forum "f.a.com". When I login in my site "a.com" I'm logged in my forum too. By if I try to logout by using "a.com" I'm logged out only from "a.com" not from Vanilla at "f.a.com". Then I must logout from "f.a.com" by hand to by fully out.

How to make that I click logout from "a.com" and I'm logged out from both "a.com" and Vanilla at "f.a.com"?

I'm using current Vanilla and jsConnect.

Cheers,
Khrone

Answers

  • ToddTodd Chief Product Officer Vanilla Staff

    You can redirect to the forums sign out page /entry/signout?Target=http://... after signing your forum.

  • Yeah, I have tried this, but user had to click "logout" on "/entry/singout/" - this should be >single< logout button. I wrote some "_force_logout.php" script that was and put it on "f.a.com" and was deleting all cookies that vanilla have produced. It was working for a while...

    ...but then jsConnect stop cooperating. When I log as a different user whit different unique id on "a.com" and tried to login to forum, vanilla said somethink like "You already have an account, give password for it" - even if this specific user have never been on forum before.

    I don't know how to fix this, maybe this issue is connected to my "_force_logout.php" script, maybe not all cookies should be deleted... I'll reinstall forum on my website and try to start again.

  • ToddTodd Chief Product Officer Vanilla Staff

    We won't auto-signout a user with a GET request unless their transient key is present. This protects us from XSS style attacks with images. In more recent versions of Vanilla we've added javascript to sign the user out upon hitting the signout page.

    Killing Vanilla's cookies is possible if you have access to their cookie domain. If this isn't working for you you'd need to open your favorite web debugger and check the cookies and cookie commands.

  • netigatenetigate New
    edited November 2012

    it is easier than you think. remove the logout link from your forums template and use the wordpress logout link instead like /wp-login.php?action=logout

    you will then get a page where the user can confirm the logout. restyle that page and nobody will know ,-)

  • @Todd said:
    You can redirect to the forums sign out page /entry/signout?Target=http://... after signing your forum.

    i just want to try out this as well, but where would i set up your redirect. is this done via routes?

  • wordpress also requires nonce if you don't want the warning "did you mean to log out...", etc

    grep is your friend.

  • ToddTodd Chief Product Officer Vanilla Staff
    via Email
    You have to set up the redirect on the signout on the signout page of your
    app, not Vanilla.
    businessdad
  • businessdadbusinessdad Stealth contributor MVP

    +1 for @Todd. That's precisely what I'm going to do. No need to manipulate cookies, simply tell each site to logout as it normally does. The nonce can become an issue, but it can be handled.

Sign In or Register to comment.