User A logs into my site and then clicks ‘Forums’ on the site. They are redirected to Discourse, which calls back to my site via SSO and they’re authenticated and automatically logged into Discourse. Great, works perfectly.
After a while, User A walks away from the computer and their session expires automatically. They never specifically click log out in my app OR on Discourse.
User B logs into my site on the same device, clicks to go to the forums, and since Discourse still has User A logged in, never calls for SSO since the Discourse session is logged in. Now User B is logged into Discourse as User A. :-\
Right, but how can I do this if the user has “walked away” from the computer and their session expired? Maybe this is more of a PHP question (which is what my main site is written in)…
Could you clarify what you mean by this? What is the session length for your app? How are you handling session expiration there?
Discourse has a maximum session age setting which by default is set to 1440 hours, which is 60 days.
The short version is that if you don’t know the user at the computer has changed, there’s nothing you can easily do to prevent it. You could dial the session length down, or periodically call from your app to log out users, but then if your users are at the computer for longer periods of time, they’re going to find themselves going back through the authentication flow.
Discourse can extend whatever login and session flow you currently use, but without more information on the above it’s hard to see exactly where the problem and any opportunities lie.