How to sync logout with SSO or Browser session?

Scenario:

User one starts a browser and connects to the Forum using SSO, works for a while and then closes browser.

User two starts a browser on the same machine and logs into the Forum again using SSO. The process takes him through the full login with his credentials but when he enters the forum he is logged in as User one.

Discourse will allow the session timeout to be set to a minimum of one hour. This means that the user can return to the PC within one hour and simply log in and gain the identity of the previous user from cookies.

There was a fix back in 2016 to allow the cookies to die when the browser was closed but this was reverted.

This makes the software very insecure in an environment where multiple people use the same workstation if the browser has not been configured to work in private mode.

Is there a fix to this?

Thanks

Peter

Same question, same answer:

https://github.com/discourse/discourse/commit/09ef5f613ef5fdf74554707de1fdccc935c6b0b9

You can check the code from the above commit, that was reverted, and port it to a plugin to suit your needs.

You can also code a logout integration in your SSO system, so when a user log outs it calls Discourse to terminate all existing sessions of the same user.

And no, this is not considered a security flaw.

1 Like

It is sad that the code was reverted as it had considerable value in situations like this.

Can you please provide pointers to the Discourse calls necessary to terminate the sessions.

Thanks Rafael

There is a handy guide about that here:

3 Likes