Facebook Logout

After hitting api/auth/logout the SS cookie is gone, but Facebook oauth seems to happily log the user back in when they come back.

This is not too bad for normal use, but won’t work if someone wants to switch user accounts (testing, shared machines).

Does something need to happen here https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack/Auth/AuthProvider.cs#L82 to hit this? https://developers.facebook.com/docs/reference/javascript/FB.logout

The current behavior is the behavior we want. You can just logout of Facebook or clear Facebook’s (or all) cookies to login as a different user.

Note: Facebook OAuth is all server-side so we don’t use the Facebook JavaScript client that you’ve linked to.

Thanks mythz.

I gather we’ve got the server-side access token stored somewhere (https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension) but is it in a cookie? I’ve deleted every cookie related to the site but am still autologging-in.

The new SS cookie has a different ss-id.

http://stackoverflow.com/questions/9961929/facebook-logout-using-oauth-server-side seems to suggest that server-side logout isn’t possible. Though that post is outdated.

Please note you need to delete Facebook’s Cookies i.e. not ServiceStack’s which are already taken care of. The easiest way to do this is to visit facebook.com and delete the cookies in WebInspector or just logout of Facebook from the menu item.

It makes sense it wouldn’t be possible, I wouldn’t want to logout a user out of their Facebook session even if it was possible.

That makes sense. But of course we can’t delete cookies from other sites programatically. So since we’re not using the JS client there is no way to log out the user from Facebook oauth.

Hmm, which if that is true we’re not being very secure.

I sit down at a shared computer, login with oauth, then logout (which does nothing to oauth), then the next person comes along, clicks login and away they go on the other account.

But the logout works here! http://bootstrapapi.servicestack.net/timelines

I discovered that my UserSessions are somehow being shared between all instances! (I open a different browser and I’m still logged in) Crazy pills! I feel like I cloned the SocialBootstrapapi project pretty closely, and I don’t have any static variables.

Then I looked more closely at AppHost.cs and discovered I was registering a SINGLETON of CustomUserSession?! What was I thinking?!

The error of my ways:

        var customSession = new CustomUserSession
            AppSettings = AppSettings,
            repositoryFactory = container.Resolve<IRepositoryFactory>()

        Plugins.Add(new AuthFeature(
            () => customSession,
1 Like