Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Logout from forum, when user logs out from my page

Hi,

so I am using this great plugin (jsConnect) in combination with auto signin for SSO. When user logs in my site, he is also automatically logged in forum. What I would like to do is, that when user logs out from my site, he would also be logged out from forum. Is there any way to do this? I was thinking about requesting forums logout page, but my application would need to get vanillas transient key first... Any ideas how to do this? Thanks for any help!

Comments

  • Destroying (read expiring) the Vanilla session cookie on your logout page should do the trick.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • thanks. does the cookie has always the same name?

  • cookie name is defined in your config. Delete the cookie with SOMETHING that should be sufficient

    $Configuration['Garden']['Cookie']['Name'] = 'SOMETHING';

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • and what to do if the forum and the application are in different domains?
    You can`t delete the cookie from other domain or i am wrong?

  • @simashin said:
    and what to do if the forum and the application are in different domains?
    You can`t delete the cookie from other domain or i am wrong?

    The browser is only going accept a request to expire a cookie if it comes from the same domain for security reasons. What you could do is send a message to expire the cookie. You would need to create a secure api to do this, which could be an extension of jsConnect.

    grep is your friend.

  • You site has a redirection that goes to the other sites logout after login out, and in the target of that login url it sends it back to the site. it is a bit roundabout but could work.

    You can't do ajax, but you could load within an iframe the logout url. You can use some clever styling to make sure this is not clearly visible.

    These are two methods.

    grep is your friend.

  • this would need to be done after you have killed the first session.

    grep is your friend.

  • simashinsimashin New
    edited August 2013

    So, for now there is no normal way to do logout for the forum, when user logout`s from our app.

    Ehhh, if i'd knew that earlier, than i'd better to setup the app and the forum on the same domain :(.
    But that`is not the solution for embed forum that are used in many apps, for example - on the test server we had one vanilla forum, that embeds into 5 tests aps ;), and as you can guess - they are all on different domains.

  • x00x00 MVP
    edited August 2013

    @simashin said:
    So, for now there is no normal way to do logout for the forum, when user logout`s from our app.

    Ehhh, if i'd knew that earlier, than i'd better to setup the app and the forum on the same domain :(.
    But that`is not the solution for embed forum that are used in many apps, for example - on the test server we had one vanilla forum, that embeds into 5 tests aps ;), and as you can guess - they are all on different domains.

    Why would you expect it to work? It is crossdomain. The solutions I gave are decent, and in line the jConnect philosophy, which uses the client to do the work.

    If you didn't use jsConnect, or similar you would not have been able to do SSO crossdomain in the first place. it work because it is client based.

    If you did via a verified jsonp request like jsConnect to log them out, you would still have to wait, till they try to visit the forum again to expire the cookie and kill the session

    Due to the stateless nature of the web, and the fact that session are really client held references to authentication, and data, an there is really is not such thing as being "logged into" a site.

    grep is your friend.

  • I choose the solution with redirects.
    Wrote php script which deletes cookies and redirects back to referer page (to app). I put this script into the forum server/domain of course.
    In our app which use embeded jsconnect vanilla i made redirect to that script when user logouts from our app.

    Works fine. Of course it is ugly thing with that 2 redirects (1 to forum, 2 back to app), but if you really need the forum logout after your app logout - it makes the deal.

  • well you could simply point to this in a hidden iframe.

    grep is your friend.

Sign In or Register to comment.