How to log a user out of WebAuth using the Stanford Web Application Toolkit

From Web Services Wiki

Jump to: navigation, search

Contents

Problem

You want to log a user out of WebAuth.

Solution

Though the only sure way to log out of WebAuth is closing the browser (see the discussion below), the toolkit provides a workaround. Provide users with a log out link and use the force_webauth_logout method in StanfordAuthorization to log a user out of WebAuth on the current subdomain.

Sample log out URL:

<a href="logout.php">Log Out</a>

The source code for logout.php:

// Include StanfordAuthorization
include_once("stanford.authorization.php");
 
// Log the current user out; redirects to the WebAuth logout page
// force_webauth_logout is a static method
StanfordAuthorization::force_webauth_logout();

The function force_webauth_logout must be called before any output is displayed since it modifies header information. For this reason, it is useful to have a separate script for handling the logout function, as shown above in logout.php.

Discussion

What does force_webauth_logout do?

The function performs two actions.

1. Deletes a cookie called webauth_at on the subdomain on which the application resides.

2. Forwards the user to weblogin.stanford.edu/logout to delete the single sign-on cookie on the weblogin subdomain.

As a result, the function logs the user out of all applications residing on the current subdomain, but not the entire domain. For example, logging a user out of www.stanford.edu does not affect applications residing on webmail.stanford.edu.

Due to the single sign-on nature of WebAuth, it is not currently possible to log a user out of a particular application without affecting all other applications on the same subdomain.

Once the user has been brought to weblogin.stanford.edu/logout they are informed that their single sign-on session has been deleted. Since the user is taken off-site to clear the cookies, some developers may wish to open the logout page in a new window.

What are the drawbacks of using this function?

There are two problems with this method:

  • It is a rude approach. Logging a user out of the entire subdomain may affect other applications that a user is logged into. Additionally, since it redirects the user to the WebAuth logout page, it takes people away from your site.
  • It may provide a false sense of security. Seeing the WebAuth logout page is misleading, as it implies that the user is in fact logged out of WebAuth, when they are really only logged out of WebAuth on the current subdomain, not all of stanford.edu.

Let your users know that the most effective method of logging out of WebAuth is to close the browser. We suggest using the function in scenarios where the browser cannot be closed (for example, in a kiosk application).

Personal tools