W3C home > Mailing lists > Public > www-tag@w3.org > September 2011

Re: Logging out from Facebook

From: Paul Libbrecht <paul@hoplahup.net>
Date: Fri, 30 Sep 2011 10:48:19 +0200
To: Henry Story <henry.story@bblfish.net>, "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <6B799868-9E0E-43B5-8912-ADC46D30CD7D@hoplahup.net>

Le 30 sept. 2011 à 10:14, Henry Story a écrit :

>> From reading this whole thread I understand the following logout mechanism should be as close as possible:
>> 
>> - go back to the site's home (the user can always go back if he wishes)
>> - remove cookies for that domain and any transcluded resources' domains
>> - remove local storage for the same (JS, flash, ....)
>> - remove stored etags
>> - remove or at least slightly modify cached entities last-modification dates
>> - close all connections
> 
> You forgot: do not send that host your client certificates anymore.  (Safari sends those automatically, for example, and I am not exactly sure how you disable it. I think you have to go to the keychain and manually disable the certificate from being sent to a particular host name, but I am not sure.)

I personally find this so special that I do not think it is worth mentionning: if you install client certs for a particular host (is it host-directed?) you rarely fear being watched by that host... 

My guts feeling would be to simply disable the "browser logout" for such a site (Safari should otherwise have a way to "reactivate the certs" which, as you describe, seems not really planned for).

paul
Received on Friday, 30 September 2011 08:49:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:39 GMT