OpenID best implementation practices?

Martin Atkins mart at
Sun Jan 1 15:43:45 UTC 2006

Johannes Ernst wrote:
> 2) is there a "best practice" for single sign-OUT (not -IN). It is 
> relatively straightforward to keep track of all the Relying Parties  at
> which I have authenticated during the current session, but other  than
> visiting each of them manually and looking for the OpenID Logout  button
> on each of them, can I automate this from one big button "log  out
> everywhere"?

OpenID does not have a concept of "session". A successful OpenID
authentication says "at this instant, I verify that the user is"; it is up to the consumer to decide what
assumptions to make about that.

Most consumer site implementations create some kind of "session" to
track the user after the OpenID authentication step. The user must
explicitly log out at each site using the site-specific mechanism provided.

More information about the yadis mailing list