Ok-- imagine this simple scenario:
User A logs into my site and then clicks ‘Forums’ on the site. They are redirected to Discourse, which calls back to my site via SSO and they’re authenticated and automatically logged into Discourse. Great, works perfectly.
After a while, User A walks away from the computer and their session expires automatically. They never specifically click log out in my app OR on Discourse.
User B logs into my site on the same device, clicks to go to the forums, and since Discourse still has User A logged in, never calls for SSO since the Discourse session is logged in. Now User B is logged into Discourse as User A. :-\
How can I handle this scenario?