Facebook Logout

ctucker · December 26, 2015, 8:17pm

After hitting api/auth/logout the SS cookie is gone, but Facebook oauth seems to happily log the user back in when they come back.

This is not too bad for normal use, but won’t work if someone wants to switch user accounts (testing, shared machines).

Does something need to happen here https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack/Auth/AuthProvider.cs#L82 to hit this? https://developers.facebook.com/docs/reference/javascript/FB.logout

mythz · December 26, 2015, 8:36pm

The current behavior is the behavior we want. You can just logout of Facebook or clear Facebook’s (or all) cookies to login as a different user.

Note: Facebook OAuth is all server-side so we don’t use the Facebook JavaScript client that you’ve linked to.

ctucker · December 26, 2015, 10:18pm

Thanks mythz.

I gather we’ve got the server-side access token stored somewhere (https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension) but is it in a cookie? I’ve deleted every cookie related to the site but am still autologging-in.

The new SS cookie has a different ss-id.

http://stackoverflow.com/questions/9961929/facebook-logout-using-oauth-server-side seems to suggest that server-side logout isn’t possible. Though that post is outdated.

mythz · December 26, 2015, 10:28pm

Please note you need to delete Facebook’s Cookies i.e. not ServiceStack’s which are already taken care of. The easiest way to do this is to visit facebook.com and delete the cookies in WebInspector or just logout of Facebook from the menu item.

mythz · December 26, 2015, 10:29pm

It makes sense it wouldn’t be possible, I wouldn’t want to logout a user out of their Facebook session even if it was possible.

ctucker · December 26, 2015, 10:38pm

That makes sense. But of course we can’t delete cookies from other sites programatically. So since we’re not using the JS client there is no way to log out the user from Facebook oauth.

ctucker · December 26, 2015, 10:44pm

Hmm, which if that is true we’re not being very secure.

I sit down at a shared computer, login with oauth, then logout (which does nothing to oauth), then the next person comes along, clicks login and away they go on the other account.

ctucker · January 1, 2016, 6:53pm

But the logout works here! http://bootstrapapi.servicestack.net/timelines

I discovered that my UserSessions are somehow being shared between all instances! (I open a different browser and I’m still logged in) Crazy pills! I feel like I cloned the SocialBootstrapapi project pretty closely, and I don’t have any static variables.

Then I looked more closely at AppHost.cs and discovered I was registering a SINGLETON of CustomUserSession?! What was I thinking?!

The error of my ways:

        var customSession = new CustomUserSession
        {
            AppSettings = AppSettings,
            repositoryFactory = container.Resolve<IRepositoryFactory>()
        }

        Plugins.Add(new AuthFeature(
            () => customSession,