4. How do I log out of Webauth, or a Webauth enabled application?

It is virtually impossible to provide a logout that will reliably log a user out of all the applications they have logged into. This is because each Webauth enabled web service has a Webauth application cookie scoped to the individual server, and it isn't possible to remove cookies scoped to other servers, as each server can only remove their own cookie. The only way to ensure that a user is completely logged out is for the user to close their browser.

There are four different sets of cookies that have to be removed in order for a user to be completely logged out:

Application specific cookies
These are cookies that the application uses to keep state
Webauth cookies scoped to the server the application is running on
This group of cookies (with names that start with "webauth_") is what the Webauth service running on the local application server makes use of to keep track of users
Main Webauth service cookie
This is the master cookie that the main Webauth service makes use of to issue all the application server scoped Webauth cookies
Webauth cookies for other remote servers
It is impossible for anybody but the servers the cookies are scoped for to remove these cookies, and the only way to be certain these have been removed is for the user to completely close their browser

It is possible for an application to remove its own Webauth cookies, but the best way to do it is to let the Webauth module do it for you. To enable this something similar to the following Apache2 configuration fragments can be used (where the /private location is where your application is normally running):

<Location /private>
  WebAuthExtraRedirect on
  AuthType WebAuth
  Require valid-user

<Location /private/logout>
  WebAuthDoLogout on

It's the WebAuthDoLogout on that does the magic and removes the local Webauth cookies. Use this location to remove any application cookies that may be present and then redirect the user to https://webauth.ox.ac.uk/logout. This location will remove the master Webauth cookie and display a message telling the user to close their browser.

Up: Contents Previous: 3. How do I set up a Webauth protected service?