Re: Logging out from Facebook

On 30 Sep 2011, at 09:23, Paul Libbrecht wrote:

> From reading this whole thread I understand the following logout mechanism should be as close as possible:
> 
> - go back to the site's home (the user can always go back if he wishes)
> - remove cookies for that domain and any transcluded resources' domains
> - remove local storage for the same (JS, flash, ....)
> - remove stored etags
> - remove or at least slightly modify cached entities last-modification dates
> - close all connections

You forgot: do not send that host your client certificates anymore.  (Safari sends those automatically, for example, and I am not exactly sure how you disable it. I think you have to go to the keychain and manually disable the certificate from being sent to a particular host name, but I am not sure.)


> 
> I, personally, do not think even the locale is worth keeping: the user wants to see the world with new fresh eyes of his browser; it should speak chinese if in a chinese internet café.
> Doing this, I believe, leaves only the IP as possible tracker (as well as all "more elaborate analysis methods" such as usage or type patterns as reported by Björn and Henry S) which cannot easily be changed.
> 
> paul
> 
> 
> Le 27 sept. 2011 à 15:22, John Kemp a écrit :
> 
>> My only point is that in this case (where user explicitly says 'logout') I believe that user expectations are being violated. I also asked for what the valid reasons are for doing this. But ultimately, it is this violation of user expectation that is the important part for me. 
>> 
>> I agree with you that identification (and the various degrees of that) are much more complex than can be expressed by 'logged-in vs. logged-out.'
> 

Social Web Architect
http://bblfish.net/