Logins to social networks such as twitter and facebook remain active even after a user logs out. If a user visits /socialize-logout, it states that they are logged out; however, if they visit facebook after that, their account is logged in. This is a major security issue especially in an environment where computers are used by multiple people as their session on those sites would continue even after they expect it to be over.

Comments

lukehamilton’s picture

lukehamilton commented

I just tested this too with facebook and yes when i logout of my site, the session is still active and I can log directly into facebook.

I also found that the next time I go to log back into my site (with the active session for facebook still being alive in the background) I can log directly into my site too.

ron williams’s picture

ron williams commented
Priority: Normal » Critical

Since this has been confirmed I am increasing this from normal to critical as this is a MAJOR security flaw which makes users think they're logged out while essentially being logged in.

jbrauer’s picture

jbrauer commented
Priority: Critical » Normal
Status: Active » Closed (works as designed)

Thanks for the report. This is working correctly.

You can verify that indeed you are logged out of the Drupal site by doing the following:

Login (or create a new account) using the Facebook icon in the Gigya login block.
If you are not currently logged in to Facebook you will be prompted to login to Facebook connect. (Note at this point you are logging in to Facebook on the Facebook site just as though you did it from the front page of Facebook).
Log out of the Drupal site.
Log out of Facebook.
Clicking on the Facebook icon on the Drupal site will cause you to be prompted for a Facebook login.

The same mechanism works with Twitter or any of the other access providers. Unfortunately Facebook doesn't make it very clear on the login screen that you are logging in to Facebook when you are doing so through the connect interface. This connect interface, however, is 100% on the Facebook site. Twitter on the other hand clearly says "Sign-in". So it would be great if Facebook would address this. Even with the Twitter mechanism one may wonder if average users fully appreciate they are signing in to the Twitter site.

As long as you are logged into your social network and have authorized the Drupal site as an app for whichever social network you will be able to login to the Drupal site without further prompting. As noted in this issue it's a very bad idea to leave your social networks logged in on a shared computer.

Please practice safe computing and always close the browser completely when you leave a public workstation. Better yet log out of all web apps you are in and close all browser windows.

ron williams’s picture

ron williams commented

I do understand that this is a Gigya issue rather than an issue with the Drupal module. The problem is Facebook (and other social networks) predicted this issue and addressed it, see http://wiki.developers.facebook.com/index.php/Connect/Authorization_Webs.... People don't think they will stay signed in to the social network when they logged into it just for the site.