Comment 9 for bug 451336
Revision history for this message
| Stuart Metcalfe (stuartmetcalfe) wrote Re: Need to redirect back to the consumer after logout | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
2eb648a
demo site
(Get the code!)
And here are the updated scenarios:
1. Rich is using one of the public university computers. He needs to log into the Ubuntu One interface to download a document to be printed for his next class. He logs in, successfully downloads and prints the file, and then he hits the logout button so that he can quickly get to class. Rich wants to confirm he is successfully logged out before leaving the workstation.
1. Hit the logout button.
2. Ubuntu SSO page is displayed: "You have been logged out. <big>Return to Ubuntu One</big>"
If Rich has recently used SSO to log in to other sites on any computer and his SSO session is still active, a list is displayed. We now explicitly say "You have been logged out". Rich is able to make a decision on whether he needs to log out of other sites if he's used them.
----
2. Emily visits a web-site that says she must authenticate using her Ubuntu SSO credentials. She clicks the login link, since she's already logged into other services with SSO it merely asks her if she wants to login. She chooses to and is sent to the new site. She decides this is not something she interested in using again and clicks the Logout button for the site. She doesn't want to log out of the other services she uses regularly.
1. Hit the logout button
2. Ubuntu SSO page displayed: "You have been logged out of <web-site>. You have also used these sites recently: *list of sites Emily has recently used with Ubuntu SSO*"
It should be clear to Emily that she has not been logged out of the other recently used sites, but that she can browse to them.
----
3. Neil comes across a site that looks suspicious. It shows he is logged in and he doesn't like the idea and would prefer to browse this site anonymously. He hovers his mouse over the button and the status bar shows that the logout link points to the Ubuntu SSO service. (In fact, this is a malicious or mis-configured site and the link is not doing what it says it is doing). Neil clicks the link.
1. Hit the logout button
2. Ubuntu SSO displays a page:
a. The site sends a return URL which isn't recognised. Neil is logged out of Ubuntu SSO and the main login page is displayed with the message "You have been logged out"
b. The site sends a return URL which is recognised, but the HTTP_REFERER is sent and doesn't match the return URL. Neil is logged out of Ubuntu SSO and the main login page is displayed with the message "You have been logged out"
c. The site sends a return URL which is recognised. Rich's browser doesn't send the HTTP_REFERER header. SSO displays: "You have been logged out. <big>Return to <sitename> (link to return_to)</big>"