Home → Problems →

Cookie logout doesn't work

• Edit

Jeff Haynie

06 Jun, 2009 09:15 PM

We're trying to setup tender using external auth from our domain. Login seems to work great but we can't seem to ever get logout to work. We seem to be able to delete the cookies (tender_email, tender_expires, tender_hash) and then redirect but tender still shows the user logged in. Checking the cookies in Firefox (tried on safari too), they're gone. Is there anything else required to logout?

1. 1 Posted by rick on 07 Jun, 2009 09:48 PM

   

   I assume you're using a logout action on your app? Try clearing _tender_session too. Tender's logout clears the standard SSO tender_* cookies right now.

   This is part of the reason that we're testing a new format for SSO logins. We're now just looking for an encrypted JSON hash in an sso parameter. This gets around any weird cookie issues. We have an implementation that's just waiting for us to document it.

   • Edit

2. 2 Posted by Jeff Haynie on 07 Jun, 2009 09:53 PM

   

   Yeah, we're calling logout and deleting all tender* cookies.

   Can we try and integrate with the new multipass API (we can read the
   code >>> !)... i mean, is it OK to use right now in production?

   • Edit

3. 3 Posted by rick on 07 Jun, 2009 10:06 PM

   

   The cookie is _tender_session with an underscore in the front. Is it deleting that?

   Yes, the multipass is fine to use now, I just didn't feel like explaining it again :) If you're using ruby, you can just use the Multipass plugin I linked above. Here's what my user model in Lighthouse looks like:

   class User
     def self.multipass
       @multipass ||= MultiPass.new('my_site_key', 'my_api_key')
     end
   
     def multipass
       @multipass ||= self.class.multipass.encode(:email => email, :display_name => name, :expires => 30.minutes.from_now,
         :external_id => id, :external_url => "http://entp.lighthouseapp.com/admin/users/#{id}")
     end
   end
   

   Only required fields are email and expires. name/display_name/login are all interchangeable. Also, I'd start sending guid if you want to integrate with UserVoice. We're using the same format and will probably be putting out some announcement for it.

   Here's what our redirection code looks like:

       def redirect_back_or_default(default)
         if !params[:to].blank?
           if logged_in? && params[:to] =~ /^https?:/
             params[:to] << (params[:to].include?('?') ? "&" : "?") << "sso=#{CGI.escape(current_user.multipass)}"
           end
           redirect_to params[:to]
         else
           redirect_to default
         end
       end
   end
   

   Basically, any request to /login?to=http://help.lighthouseapp.com gets an sso parameter appended to it before being redirected.
   

   I'm going to try and get a FAQ written about this since I've been dragging my feet for too long. If you're not using ruby, I'll break it down and even throw up a test server implementation. It's pretty simple -- if your language has a decent encryption library. Ruby's OpenSSL works great, but is weird and undocumented, so Multipass relies on a EzCrypto wrapper. UserVoice has code for PHP, Java, C#, etc that should all work too.

   • Edit

4. 4 Posted by Jeff Haynie on 07 Jun, 2009 10:10 PM

   

   cool we'll try that out ... thanks!

   • Edit

5. 5 Posted by Martin Robinson on 07 Jun, 2009 11:14 PM

   

   Just to clarify the issue that we're seeing is that even though the logout link seems to redirect correctly, it does not remove the tender_session cookie. We are able to remove all tender* cookies that we set previously, but we cannot remove the _tender_session cookie ourselves as it is set to the full sub-domain path. Browser security restrictions prevent us from fiddling with cookies from other sub-domains.

   Deleting the _tender_session cookie manually from the browser seems to force a logout.

   Will the multipass approach have the same problem? Is there a way to force tender to delete the _tender_session cookie before or after the logout button is clicked? Can we just set the tender_expires cookie to a date in the past?

   • Edit

6. 6 Posted by rick on 08 Jun, 2009 04:48 AM

   

   Why not just use the standard Tender logout? We may have to remove
   the logout url option completely. If you want it to redirect
   somewhere, I can add support for a '?to' parameter.

   • Edit

7. 7 Posted by Martin Robinson on 09 Jun, 2009 06:43 PM

   

   The main motivation for using a different logout URL was so that the link would log out of both tender and our SSO setup. I suppose redirecting to the standard tender logout would be a good solution as well.

   • Edit

8. 8 Posted by Martin Robinson on 09 Jun, 2009 06:45 PM

   

   Oh...another issue is that if a user logs out somewhere else, they will still be logged into tender.

   • Edit

9. 9 Posted by rick on 09 Jun, 2009 06:45 PM

   

   Nah don't worry. I think what I'll do is send it to tender's logout,
   and have that redirect to your app-specific logout url if specified.

   • Edit

10. 10 Posted by rick on 09 Jun, 2009 06:46 PM

    

    We can't get around that really. Like you said, browser security
    issues prevent you from removing the cookie value.

    • Edit