0

My web application has login by OpenID connect. When I test the logout button I'm redirected to the configured logout URL, but when I try to login again I am already logged in.

I would like it to work like this:

  • When I log out, I am logged out.
  • When X minutes has passed, I am automatically logged out and if I try to do something in my browser window, I will be redirected to the "you are not logged in" page.

How do I control the session? Or, the functionality of the logout button?

Miss Q
  • 1
  • 1

1 Answers1

0

The logout action clears the login cookie from the browser. This means that the next request does not have an authenticated user.

To have the Cookie time limited you control this in you Oauth-provider.

Currently an untouched app that by time has an invalid cookie will look like logged in until you navigate to another page - then the cookie will be discovered as stale - the oauth server may then (depending on setting) issue a new token and you are still logged in - or refuse without authentication and you will be taken to login page.

Hans Karlsen
  • 2,275
  • 1
  • 15
  • 15