The logout button

Hosted Login provides profile management screens that can be displayed to logged-in end users for tasks like updating their profile information and resetting their password. These screens include a Logout button by default.

When a user clicks the Logout button, their current "device" is unbound from the Hosted Login session. In other words, the Hosted Login session forgets the current device, so if the user wants to regain access on this device, they'll need to login again on this device.

👍

Important Concept

There can only be 1 Hosted Login session per user (uuid) at any given time. As a user logs in across various devices, those devices are bound to the same session. When a user logs out from a device, that device is unbound from the session, while other devices retain access to the session.

This architecture allows for a secure “Log me out everywhere” function because when the Hosted Login session is deleted, all device logins (“bindings”) are deleted with it.

What exactly is a "device"? In Hosted Login, a device consists of:

• A specific user account.
• A specific piece of hardware (your computer is one piece of hardware and your cell phone is a second piece of hardware).
• A specific web browser (Chrome, Safari, Edge, etc.)

In other words, here’s one device:

• Karim Nafir (user)
• Karim’s laptop computer
• Chrome

Here’s a second device:

• Karim Nafir (user)
• Karim’s laptop computer
• Edge

Same user and same hardware, but a different browser: that’s what makes it a different device. Here’s a third device:

• Karim Nafir (user)
• Karim’s cell phone
• Chrome

Same user and same browser, but a different piece of hardware. That makes it a different device.

This means that logging out of one browser tab in Chrome, for example, also logs you out of all your other browser tabs in Chrome.

📘

What is the user experience?

Let's say a user is logged into the same Hosted Login profile management UI across two tabs in the same browser instance, and they click the Logout button in one tab. The Logout Successful message is displayed in that tab.

When they navigate to the other tab, the window immediately refreshes and the sign-in screen replaces the user profile screen.

But suppose, in addition to those Chrome browser tabs, you were logged onto the same website using Firefox. What happens to the Firefox session when you log out in Chrome? Nothing: that session represents a separate device.

Alternately: Suppose you’re using Safari and log on to a website on our computer; you then use Safari to log on to that same website on your cell phone. If you log off from the site on the computer, that will not log you off from the site on your phone. As noted before, logout is tied to the "device", and not to a web browser in general or a specific piece of hardware.

We should also mention that Hosted Login logout relies, in part, on a pair of cookies: _csrf_token and aic_authui_{customer_id}. Because cookies aren’t shared between a regular browser window and a private browser window, logging off from a website in a regular browser window won’t log you off from a session running in a private window. For example, suppose you log on to website A in a regular Chrome window. You then open an incognito window and log on to that same website. If you log off from the site in the regular window, the session running in incognito mode continues to chug along (and vice-versa). That means that, depending on how you want to look at it, a device actually consists of:

• A specific user account
• A specific piece of hardware (your computer is one piece of hardware and your cell phone is a second piece of hardware)
• A specific web browser (Chrome, Safari, Edge, etc.)
• A specific browser window mode (regular or private)

So what happens if you’re running a browser instance in private mode and you have the same website open in two different tabs? In that case, session logout works: logout from private tab 1 and you’ll also be logged off in private tab 2. That’s because the same private browser instance can share cookies.