Pubcookie can help you add a logout mechanism to your Pubcookie-protected website. The recommended method uses Pubcookie's per-site logout feature to clear a user's session cookie; then it redirects the user to the "weblogin" service, which will display a customizable logout-response page.
Included on this page:
By encouraging developers to take advantage of these features and advising them on how to do so, we hopes to meet the following objectives:.
to make the end-user experience of logging out of Pubcookie-protected websites consistent across the many sites at the UW that use Pubcookie;
to steer end users to centrally maintained logout instructions for the UW NetID "weblogin" service.
UW Technology promotes the following guidelines regarding logout:
Each Pubcookie-protected application should have a logout link or button. Such a link or button should, if an application maintains an application session, end that session. It should also link to Pubcookie-provided logout functionality as described below.
Pubcookie's logout functionality should be combined with application-specific logout actions. Pubcookie logout ends Pubcookie's session state on the application server, and (in the normal, recommended case) redirects the user to a standard page on the "weblogin" service that displays information about what's going on.
While our recommended method of logging-out-from-everything is still to close the browser, the "weblogin" service has a "logout" capability which ends a user's "single sign-in" session. Although we are not recommending that applications link to this feature, developers and support staff appreciate knowing that it exists. Refer to the end-user logout instructions for this feature.
Pubcookie's logout features are available in mod_pubcookie 1.77 or higher, and in Pubcookie ISAPI Filter 2.7 or higher.
Pubcookie's logout features are typically configured through a special logout folder. When an end user goes to such a folder it causes Pubcookie to clear the user's current session cookie. The recommended logout method also redirects the user to the "weblogin" service in order to generate a logout response page. Platform-specific configuration instructions follow below.
To configure a logout folder on Microsoft IIS:
Add a new subfolder to your site. The folder name is up to you, but "logout" seems like an obvious choice, e.g.:
C:\inetpub\wwwroot\webapp\logout
Set the Logout_Action property in the registry corresponding with the key for this folder, e.g.:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PubcookieFilter\WebApp\Logout] "Logout_Action"="2"
Note: the value "2" applies the recommended behavior to your logout folder.
To configure a logout folder on Apache:
Add a new subfolder to your site. The folder name is up to you, but it must be located within your Pubcookie-protected site, e.g.:
mkdir /var/www/html/webapp/logout
Note: the example above assumes that the webapp directory is already Pubcookie-protected by an AuthType directive.
Create a .htaccess file in your new logout folder.
cd /var/www/html/webapp/logout pico .htaccess
Add a PubcookieEndSession directive to the .htaccess file and specify the redirect argument:
PubcookieEndSession redirect
Save the .htaccess file.
After configuring your logout folder, give it a test:
Open the address for your Pubcookie-protected website in a Web browser. Be sure to open your site's Pubcookie-protected entry page, not the logout folder, not yet. Opening the entry page will redirect you to the "weblogin" service.
Log in to the "weblogin" service. As usual, it will redirect you back to your site, where Pubcookie will set a "session cookie" on your browser. (It is this cookie that is cleared when a request is made to your logout folder.)
Open the address of your new logout folder, e.g.:
https://appserver.washington.edu/webapp/logout/
Pubcookie will clear your session cookie and redirect you to the "weblogin" service, which will display a "logout successful" message.
(Optional) Make a note of the URL address of this logout response page generated by the "weblogin" service, e.g.:
https://weblogin.washington.edu/?logout_action=0∓two=webapp&one=appserver.washington.edu
You will need this address if you want to customize the text of the logout response for your site.
Open the "weblogin" service's own logout page:
https://weblogin.washington.edu/logout/
This will clear the "login" cookie that maintains the "single sign-in" period with the "weblogin" service, so that the next time you visit the "weblogin" service you will have to log in again. (It should be clear after the next step why this is done.)
Open your site's Pubcookie-protected entry page again. If your logout folder worked as it should, you will be redirected to the "weblogin" service because you have no session cookie. Additionally, because you also logged out of the "weblogin" service, it will ask you to log in again. This confirms that your logout folder passed the test.
At this point you have configured a logout folder, one that hopefully succeeded the test above. The last step is to deploy your site's new logout feature by linking it into your pages and navigational model.
Review the design guidelines for exit pages and logout links. (Availability TBD.)
Decide if you require more than the generic "You successfully logged out" message on the logout response page generated by the "weblogin" service for your site. You can customize the logout response if you want.
Add links to your logout folder throughout your site, wherever it makes sense to do so. With regard to link text and language usage, the "weblogin" service uses phrases based on the terms "log in" and "logout". You may want to do the same, although it is true that many sites use other verbs such as "quit" or "exit".
Note for Web-applications: if your site is a Web-based application that maintains its own session state information in its own HTTP cookie(s), and you want to clear this information as part of your site's logout process, create your own application-specific logout folder or program separate from your Pubcookie-configured logout folder. Link to the application-specific logout folder first and clear the application-specific cookies as necessary. Then, as a response, redirect users to your Pubcookie-configured logout folder. Although you could technically get around using a Pubcookie-configured logout folder, it is recommend that you do: it is a layer of abstraction that allows Pubcookie's logout functionality to evolve (and be improved) without breaking existing installations.
To customize the logout response page generated by the UW "weblogin" service for your site:
Choose your customized logout respose text, e.g.:
You successfully logged out of Webapp. Come back soon!
Determine the URL address of the logout response page generated by the "weblogin" service for your site, e.g.:
https://weblogin.washington.edu/?logout_action=0&two=webapp&one=appserver.washington.edu
For help, refer to the steps leading up to and including step 5 under Test Your Logout Folder.
Email this address, plus the custom text you want, to pubcookie@u.washington.edu. We will configure the "weblogin" service accordingly.
