Cookie logout doesn't work

Jeff Haynie's Avatar

Jeff Haynie

06 Jun, 2009 09:15 PM

We're trying to setup tender using external auth from our domain. Login seems to work great but we can't seem to ever get logout to work. We seem to be able to delete the cookies (tender_email, tender_expires, tender_hash) and then redirect but tender still shows the user logged in. Checking the cookies in Firefox (tried on safari too), they're gone. Is there anything else required to logout?

  1. 1 Posted by rick on 07 Jun, 2009 09:48 PM

    rick's Avatar

    I assume you're using a logout action on your app? Try clearing _tender_session too. Tender's logout clears the standard SSO tender_* cookies right now.

    This is part of the reason that we're testing a new format for SSO logins. We're now just looking for an encrypted JSON hash in an sso parameter. This gets around any weird cookie issues. We have an implementation that's just waiting for us to document it.

  2. 2 Posted by Jeff Haynie on 07 Jun, 2009 09:53 PM

    Jeff Haynie's Avatar

    Yeah, we're calling logout and deleting all tender* cookies.

    Can we try and integrate with the new multipass API (we can read the
    code >>> !)... i mean, is it OK to use right now in production?

  3. 3 Posted by rick on 07 Jun, 2009 10:06 PM

    rick's Avatar

    The cookie is _tender_session with an underscore in the front. Is it deleting that?

    Yes, the multipass is fine to use now, I just didn't feel like explaining it again :) If you're using ruby, you can just use the Multipass plugin I linked above. Here's what my user model in Lighthouse looks like:

    class User
      def self.multipass
        @multipass ||='my_site_key', 'my_api_key')
      def multipass
        @multipass ||= self.class.multipass.encode(:email => email, :display_name => name, :expires => 30.minutes.from_now,
          :external_id => id, :external_url => "{id}")

    Only required fields are email and expires. name/display_name/login are all interchangeable. Also, I'd start sending guid if you want to integrate with UserVoice. We're using the same format and will probably be putting out some announcement for it.

    Here's what our redirection code looks like:

        def redirect_back_or_default(default)
          if !params[:to].blank?
            if logged_in? && params[:to] =~ /^https?:/
              params[:to] << (params[:to].include?('?') ? "&" : "?") << "sso=#{CGI.escape(current_user.multipass)}"
            redirect_to params[:to]
            redirect_to default

    Basically, any request to /login?to= gets an sso parameter appended to it before being redirected.

    I'm going to try and get a FAQ written about this since I've been dragging my feet for too long. If you're not using ruby, I'll break it down and even throw up a test server implementation. It's pretty simple -- if your language has a decent encryption library. Ruby's OpenSSL works great, but is weird and undocumented, so Multipass relies on a EzCrypto wrapper. UserVoice has code for PHP, Java, C#, etc that should all work too.

  4. 4 Posted by Jeff Haynie on 07 Jun, 2009 10:10 PM

    Jeff Haynie's Avatar

    cool we'll try that out ... thanks!

  5. 5 Posted by Martin Robinson on 07 Jun, 2009 11:14 PM

    Martin Robinson's Avatar

    Just to clarify the issue that we're seeing is that even though the logout link seems to redirect correctly, it does not remove the tender_session cookie. We are able to remove all tender* cookies that we set previously, but we cannot remove the _tender_session cookie ourselves as it is set to the full sub-domain path. Browser security restrictions prevent us from fiddling with cookies from other sub-domains.

    Deleting the _tender_session cookie manually from the browser seems to force a logout.

    Will the multipass approach have the same problem? Is there a way to force tender to delete the _tender_session cookie before or after the logout button is clicked? Can we just set the tender_expires cookie to a date in the past?

  6. 6 Posted by rick on 08 Jun, 2009 04:48 AM

    rick's Avatar

    Why not just use the standard Tender logout? We may have to remove
    the logout url option completely. If you want it to redirect
    somewhere, I can add support for a '?to' parameter.

  7. 7 Posted by Martin Robinson on 09 Jun, 2009 06:43 PM

    Martin Robinson's Avatar

    The main motivation for using a different logout URL was so that the link would log out of both tender and our SSO setup. I suppose redirecting to the standard tender logout would be a good solution as well.

  8. 8 Posted by Martin Robinson on 09 Jun, 2009 06:45 PM

    Martin Robinson's Avatar

    Oh...another issue is that if a user logs out somewhere else, they will still be logged into tender.

  9. 9 Posted by rick on 09 Jun, 2009 06:45 PM

    rick's Avatar

    Nah don't worry. I think what I'll do is send it to tender's logout,
    and have that redirect to your app-specific logout url if specified.

  10. 10 Posted by rick on 09 Jun, 2009 06:46 PM

    rick's Avatar

    We can't get around that really. Like you said, browser security
    issues prevent you from removing the cookie value.

Discussions are closed to public comments.
If you need help with Tender please start a new discussion.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac