CODEWITHSUNDEEP
openiddotnetopenauthlogout
Jan
Jan

Reputation: 322

OpenID on a kiosk PC

Using DotNetOpenAuth I have enebled OpenID login to a local sportsclubs website. Besides users logging in from home, we also have a PC within the club running IE in kiosk mode. I have some security concerns with this kiosk PC.

1) Can I somehow tell the identity provider not to offer the "Keep me signed in" option? Or at least for Yahoo uncheck it by default.
I am hoping it can be defined in an extension or something, but I haven't found anything like that.

2) I can easily log out a user from our own site, but the session to the identity provider remains. This allows anyone on the kiosk PC to login as the last person using OpenID. I have a logoff button on my page, and on the kiosk PC even timed activation of the logoff button. With Google, Yahoo and AOL I have found logoff urls. I activate those as part of the logoff process.
Does anyone know a logoff url for myOpenID? and maybe other providers. Or even better can I request the url from the provider like I request the email?

If it helps anyone these the the urls I found so far:
Google: https://www.google.com/accounts/Logout
Yahoo: https://login.yahoo.com/config/login?logout=1
AOL:https://my.screenname.aol.com/_cqr/logout/mcLogout.psp

Thanks in advance,
Jan

Upvotes: 3

Views: 265

Answers (2)

Andrew Arnott
Andrew Arnott

Reputation: 81801

I'm confused by the fact that you seem to be mixing the kiosk with the web sites users are visiting. Is your kiosk rigged to only let users visit your specific RP? Rigging your RP to log users out of their OP as well is usually rude, and since this rigging will impact your RP regardless of whether users visit your site from the kiosk or from their home computer, I don't think customizing your web site as if kiosk is its only mode is a good idea.

Better to just set up the kiosk's IE options such that it clears all cookies every time you close the browser. And as Samuel said: perhaps write a plugin that will clear cookies forcibly when it sees the URL on your web site that indicates the user is logging off, to help those users that don't close their browser.

But two thumbs up for helping increase the security of your customers!

Upvotes: 1

Samuel Neff
Samuel Neff

Reputation: 74909

Since this is running in a kiosk you have more control over the browser as well. Use a custom plugin to clear ALL browse cookies when they log out of your site. That will effectively log them out of any OpenID site they're logged into as well.

Upvotes: 0

Related Questions