Task #3341
closedImplement Single Log-Out system
0%
Description
Currently participating in the experiment to evaluate replacement of AskBot (AskLO) with Discourse.
Until authorised to submit tickets to Redmine, I only had access to Discourse (single session configuration).
I disconnected from the Discourse session by using the menu command associated with "avatar" at top right of screen (labeled Log Out). I was effectively disconnected but some token (cookie?) remained on my computer.
Next time I logged in, I did not need to enter manually my credentials as the token was automatically used (even if my computer was rebooted to make sure I started afresh).
This has security implication for me: anybody able to log into my computer account can then log into my Discourse (or SSO) account without the need to validate credentials. This is not really important for my desktop, but may be serious for my laptop which is sometimes left unattended in meeting rooms.
Guilhem Moulin provided me a link to fully disconnect from SSO, but this is inconvenient (I'll try to put it in a bookmark to have it at hand).
Is is possible to have a second menu command with another label (making clear it will cause a full and complete disconnection) for this purpose?
I understand there has been a long and dense debate about SSO and that my wish may cause service disruption (closing other simultaneously active sessions).
In case this is relevant, all my computers run under Fedora Linux and browser is Firefox.