0

I'm implementing Facebook login in my django application.
The parts of creating new users and let those users to login via facebook are working without any issues.

My problem is when a user logged-in with a facebook acount and want to logout from my application.
to logout a user from my application I'm using the link:

<a href="{% url 'auth:logout' %}?next={{ request.path }}">Logout</a>

This link log the user out of the application, but keep the browser logged-in to facebook
When the user will try to login again, no facebook pop-up let him an option to login as another user for instance.

This can become a real issue if 2 users are working on the same computer.
Let say a user is at a friend's home and she want to do some work with my application.
she will login with her facebook acount, do the work and logout.
From her perspective she logged out from everything she was doing.
But this is not the case. The browser is still logged-in to facebook with her user!

If the friend will try to login to my application, she will be in without any need to give username/password and with the user of her friend.

In addition, Facebook terms of use says "Provide a "Log Out" option that functions properly and is easy to find" (in here)

Is there a way to force re-login? or to force a facebook logout as well as a django logout?

Izack
  • 823
  • 7
  • 13
  • 1
    I think it's the expected behavior. Facebook will check your logged-in status via cookies, and you can't remove them from your domain. When you use your connector you are in fact opening an iframe to FB so that it can check for its cookies and, in case, request you to log in. – Germano Jul 03 '14 at 08:23
  • You can log out from facebook using it's API. Something like this should work http://stackoverflow.com/questions/2764436/facebook-oauth-logout – Ankit Jaiswal Jul 03 '14 at 08:43
  • @lzack, there are two cookies here, one set by ``python-social-auth`` to flag your login status in your project, another set by Facebook when you accept the application permissions and that one belongs to Facebook and cannot be removed by your domain. As @Ankit pointed out, there's a Facebook API to logout the user that you need to call. – omab Jul 04 '14 at 02:34
  • @omab, Ankit, Thanks! I'm working on such script. Since such action is a must (by FaceBook license), I hope that one day it will become part of the python-social-auth. – Izack Jul 04 '14 at 03:20
  • @lzack, I'm not sure if this should be part of python-social-auth, but I'll glad to add it to the ``Use Cases`` section in the docs if you manage to get something working. – omab Jul 07 '14 at 22:36

0 Answers0