Authlogic, logout, credential capture and security

views:

203

answers:

+2 Q:

Authlogic, logout, credential capture and security

Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance.

This is what i did:

I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine!

Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google.

I noticed the same with stack overflow's openid authentication system.

Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before him had not logged out from google and say.. changed his password!!

Should i be paranoid? Isn't this a major security lapse while implementing the openid spec? Probably today someone can give me a workaround for this issue and the question is solved for me. But what about the others who have implemented openid in their apps and not implemented a workaround?

+2 A:

Afaik, there is no way you can log the user out of their account in another system. Your app is supposed to be responsible only for it's own business. As a user, I'd be very surprised if a website using openid could log me out of my google account.

Yes, there is a scenario that a user can assume that they are logged out of google because they logged out on your site but that would (and should) be their own fault.

Evgeny Shadchnev 2010-04-18 15:06:34

I am still not able to digest your answer. So you expect all the users who access your web app to be aware of the OpenID specification and make sure that they log out of google too? I bet even if you do put up a notification telling the users to make sure they log out of their google account too only half the users would have read it. I still consider this a major problem in the spec.

Shripad K 2010-04-18 15:14:16

And i can't believe the fact that if there really is no workaround to this problem then many big guys (like google,yahoo etc) actually accepted the OpenID specification. That will put their user base in jeopardy.

Shripad K 2010-04-18 15:17:48

The protocol has been around for 5 years and there is still no sign of jeopardy :) Seriously, I think this isn't such a big problem.

Evgeny Shadchnev 2010-04-18 15:25:08

Maybe its not. I am losing a user if he/she falls a victim to the account being hacked. In fact i was going through this pdf:https://wiki.openid.net/f/OpenID%20Logout.pdfIt is possible to do a global logout. But is difficult to implement. I just want to know how to implement it.

Shripad K 2010-04-18 15:37:40

+2 A:

If this is such a big issue to you, do not use OpenID, or display a DHTML popup after a successful log out reminding the users that their session is still valid on their OpenID provider.

As for Google's OpenID, what you can probably do is redirect users through the following URL after

http://www.google.com/accounts/ClearSID?continue=http%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fcontinue%3Dhttp%3A%2F%2Fwww.google.com%2F

Andrew Moore 2010-04-18 15:46:20

ansaurus

tags:

views:

answers:

Authlogic, logout, credential capture and security

related questions