Disabling user signout on all sessions

sso

(system) #1

Hi,

We are using SSO for logging in users to our discourse instance. What we want is that user should also be logged out from forum, if he logs out on the main app, and vice versa. The way we are achieving this is, we call the Discourse API to logout when the user logs out on main app to log out from Discourse and the Discourse logout url points to our app logout url.

The only issue occurs is that using the Discourse API, all sessions on all devices are logged out. If we disable strict logout, the logout via API doesn’t work.

Would it be possible to achieve this functionality so that we can only logout users on forum, who logged in with a particular session on app? Or else, if somebody could guide how we can achieve such a functionality via a custom plugin.

Thanks!


Is Discourse supposed to log you out across browsers?
(Sam Saffron) #2

that is technically very very tricky, there is not built in mechanism for this.


(Jeff Atwood) #3

Why would you want only one session to log out? Can you describe the use case with a real world example?


(system) #4

Lets say the user is signed in on our app and using the forum on multiple devices (phone, work desktop, laptop). If he chooses to sign out of his session on the work desktop, we wouldn’t want to log him out on his mobile or laptop.

In some sense, we want to maintain parity between the app session and discourse session, i.e. if the user is logged in the app on a device, he is also logged into the forum and vice versa, so that the experience is seamless. We understand that using SSO, this might be tricky, and we are ok with having the user to sign in separately into discourse the first time, but after that we would want to maintain parity in app session and discourse session.


(Michael Downey) #5

This is NOT a desirable default whatsoever. I don’t know of any other web app in All Of The Internet that logs out all sessions everywhere when the user clicks the logout button.

It happened to me yesterday when I logged in on a public terminal. I clicked log out when I was done, then have to log in again on about 23857124 other browsers/computers/devices.

I didn’t know this log out strict was now a site setting, but have now disabled it. Having this behavior happen by default is not sane and not cool.