英文:
Passport.js sign in with Google - req.logout signs out of my site but leaves the google account signed in?
问题
我正在使用passport.js为我的网站添加使用Google登录的功能。
登录/注销在我的服务器上正确地创建和销毁会话,所以从我的网站的角度来看一切都正常。
然而,在注销后,浏览器仍然登录到Google(例如,我可以访问Gmail而无需提供凭据)。
在私人计算机上,这可能还可以接受,但在共享/公共设备上似乎有些可怕。我原本不希望在从网站注销后还需要从Google注销。
所以,问题是:
- 我对于共享设备的担忧是否有效?
- 如果问题1的答案是肯定的,我如何在必要时进行“正确”的注销?我在Passport.js中没有找到相关的内容。
英文:
I am adding sign in with Google to my website using passport.js
Login / out correctly creates and destroys the session on my server so from my site's perspective everything is fine.
However, after logout, the browser is still signed in to Google (I can go to Gmail for example and it doesn't require credentials)
On a private computer this would be OK, but it seems scary-bad on a shared/public device - I wouldn't have expected to need to sign out from Google AFTER signing out from the website.
So, questions:
- Is my concern about a shared device valid?
- If the answer to 1 is yes, how do I "properly" sign out when necessary? I don't see anything in Passport.js to do that
答案1
得分: 0
-
是的,你对你的担忧是正确的。如果用户在共享设备上登录,她将保持她的Gmail登录状态。
-
答案是 - 你无法从你的网站上发起Google的注销操作。这是两个完全无关的用户会话,Google控制着该会话,而不是你。你能做的只是向用户正确地告知在共享设备上使用联合登录的危险性。用户有责任从她登录过的所有网站上注销登录。
英文:
-
Yes, you are right about your concerns. If a user logs in on a shared device she will leave her Gmail logged in.
-
The answer is — you can't initiate a sign-out at Google from your website. These are two completely unrelated user sessions, and Google is in control of that session, not you. All you can do is properly inform the user about the dangers of using federated login on a shared device. The user is responsible for signing out from all the websites she has logged in to.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论