W3C home > Mailing lists > Public > www-tag@w3.org > September 2011

Re: Logging out from Facebook

From: John Kemp <john@jkemp.net>
Date: Mon, 26 Sep 2011 14:53:53 -0400
Cc: "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <93B8B93F-A5F7-4796-B583-57775B958EE3@jkemp.net>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
On Sep 26, 2011, at 2:38 PM, Bjoern Hoehrmann wrote:

> * John Kemp wrote:
>> The problem is that users (whether laymen or IT professionals) expect
>> that when they click 'logout' or 'remove my cookies', their 'session'
>> state with that site is removed. I certainly have that expectation too.
>> After all, a session should be a session. Not some indefinite period of
>> time. What is the valid need for 'client state' when the client is not
>> working on my behalf at the server (ie. I am logged-in at that site?)
> 
> So the state information can be used during the next sign-in.

So it is not per-session state, basically. It is persistent, non-session state and doesn't pertain at all to user login/logout events as such.  

> Martin J.
> Dürst already noted retaining the user's locale to present the sign-in
> page in the user's preferred language.

How does the site know who the *user* is, if the user is not logged-in? Yes, I understand that the preferred locale of an unidentified user is important information in presenting a webpage that works for the user. But if the user is not logged-in, the site should only assume that a user who desires locale X is visiting their site. 

> Another use would be logging the
> user out more aggressively when the user signs in using an unfamiliar
> browser like from an Internet Cafe. Note that you can turn this around
> and question setting cookies before the user logs in or does something
> else that indicates the user would like state to be maintained (adding
> something to a shopping cart for instance). The only difference is that
> the data can be associated with the account more easily and accurately.

I'm pointing out that most people think that when they press 'logout' they expect that future requests to that site are considered as "anonymous" from a user account perspective, until they log back in. Of course, people would also like it if they see the site presented in a script and language that makes sense to them. These two things, however, can be accomplished using current mechanisms. It is a (someone's ;) bug if per-user-session state is maintained after the user has explicitly logged out. 

I don't expect that I can be tracked across the Web by means of some state maintained by my browser to record my preferred locale, for example. Such information may (and should) be sent to all sites, and thus is probably not best recorded as a cookie or other origin-related piece of information. 

- John

> -- 
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
> 
Received on Monday, 26 September 2011 18:54:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:39 GMT