The session with Twitter is defined by a cookie owned by Twitter — something you do not have control over. You cannot log them out of Twitter on their behalf. If you want someone to be able to use your “switch twitter account” functionality, you’ll need to pass them off to the OAuth handshake again, … Read more
Create a middleware using artisan: php artisan make:middleware RevalidateBackHistory Within RevalidateBackHistory middleware, we set the header to no-cache and revalidate: <?php namespace App\Http\Middleware; use Closure; class RevalidateBackHistory { /** * Handle an incoming request. * * @param \Illuminate\Http\Request $request * @param \Closure $next * @return mixed */ public function handle($request, Closure $next) { $response = … Read more
It’s certainly possible, using session_id. When the user logs in somewhere else, you can do this step before starting a new session for the new login: // The hard part: find out what $old_session_id is session_id($old_session_id); session_start(); session_destroy(); // Now proceed to create a new session for the new login This will destroy the old … Read more
You should have logout servlet/jsp which invalidates the session using the following ways: Before Servlet 3.0, using session.invalidate() method which invalidates the session also. Servlet 3.0 provides a API method HttpServletRequest.logout() which invalidates only the security context and the session still exists. And, the Application UI should be providing a link which invokes that logout … Read more
It’s hard for me to say for sure if your code is enough. However standard Spring-security’s implementation of logging out is different. If you took a look at SecurityContextLogoutHandler you would see they do: SecurityContextHolder.clearContext(); Moreover they optionally invalidate the HttpSession: if (invalidateHttpSession) { HttpSession session = request.getSession(false); if (session != null) { session.invalidate(); } … Read more
Update: This solution does not seem to work anymore in many browsers. Kaitsu’s comment: This solution of sending false credentials to make browser forget the correct authenticated credentials doesn’t work in Chrome (16) and IE (9). Works in Firefox (9). Actually you can implement a workaround by sending false credentials to the service. This works … Read more
Brice’s answer is great, but I still noticed an important distinction to make; the Passport guide suggests using .logout() (also aliased as .logOut()) as such: app.get(‘/logout’, function(req, res){ req.logout(); res.redirect(“https://stackoverflow.com/”); //Can fire before session is destroyed? }); But as mentioned above, this is unreliable. I found it behaved as expected when implementing Brice’s suggestion like … Read more
I have solved this issue calling this function when the user click on the logout link: var logout = function(){ document.location.href = “https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://www.example.com”; } When the user click on the link, the browser redirect the user to the logout page and only when the logout is complete, the user is redirected to the site “http://www.example.com“. … Read more
I was having the same problem. I also login using oauth (I am using RubyOnRails), but for logout, I do it with JavaScript using a link like this: <a href=”/logout” onclick=”FB.logout();”>Logout</a> This first calls the onclick function and performs a logout on facebook, and then the normal /logout function of my site is called. Though … Read more
No server-side logout button will work when using “Windows” authentication. You must use “Forms” authentication if you want a logout button, or close the user’s browser.