How to log out user if I don't know them?

Ok-- imagine this simple scenario:

  1. User A logs into my site and then clicks ‘Forums’ on the site. They are redirected to Discourse, which calls back to my site via SSO and they’re authenticated and automatically logged into Discourse. Great, works perfectly.

  2. After a while, User A walks away from the computer and their session expires automatically. They never specifically click log out in my app OR on Discourse.

  3. User B logs into my site on the same device, clicks to go to the forums, and since Discourse still has User A logged in, never calls for SSO since the Discourse session is logged in. Now User B is logged into Discourse as User A. :-\

How can I handle this scenario?

Thanks,
Eric

You can hookup an api call to automatically log out discourse:
https://docs.discourse.org/#tag/Users/paths/~1admin~1users~1{id}~1log_out/post

2 Likes

Right, but how can I do this if the user has “walked away” from the computer and their session expired? Maybe this is more of a PHP question (which is what my main site is written in)…

This trick should still work:

3 Likes

@riking I’m sorry, I had a curious question.

How do services like auth0 handle automatic logout for discourse?

Could you clarify what you mean by this? What is the session length for your app? How are you handling session expiration there?

Discourse has a maximum session age setting which by default is set to 1440 hours, which is 60 days.

The short version is that if you don’t know the user at the computer has changed, there’s nothing you can easily do to prevent it. You could dial the session length down, or periodically call from your app to log out users, but then if your users are at the computer for longer periods of time, they’re going to find themselves going back through the authentication flow.

Discourse can extend whatever login and session flow you currently use, but without more information on the above it’s hard to see exactly where the problem and any opportunities lie.

4 Likes

Thank you for your reply! I realized that this problem ultimately is all about managing the user on the main site.

If the user manually logs out of the main site, then I have to call Discourse (via API) to log them out there as well.

And if the user doesn’t log out but their session expires, I have to call Discourse to log them out there at the same time.

And finally: when a user logs out of Discourse using “log out” there, I need to capture that event (via webhook) and log them out on my site too.

Whee, integration!