Re: Logging out from Facebook

Le 30 sept. 2011 à 10:14, Henry Story a écrit :

>> From reading this whole thread I understand the following logout mechanism should be as close as possible:
>> 
>> - go back to the site's home (the user can always go back if he wishes)
>> - remove cookies for that domain and any transcluded resources' domains
>> - remove local storage for the same (JS, flash, ....)
>> - remove stored etags
>> - remove or at least slightly modify cached entities last-modification dates
>> - close all connections
> 
> You forgot: do not send that host your client certificates anymore.  (Safari sends those automatically, for example, and I am not exactly sure how you disable it. I think you have to go to the keychain and manually disable the certificate from being sent to a particular host name, but I am not sure.)

I personally find this so special that I do not think it is worth mentionning: if you install client certs for a particular host (is it host-directed?) you rarely fear being watched by that host... 

My guts feeling would be to simply disable the "browser logout" for such a site (Safari should otherwise have a way to "reactivate the certs" which, as you describe, seems not really planned for).

paul

Received on Friday, 30 September 2011 08:49:00 UTC