Session logout in Hosted Login

In its initial release, Hosted Login handled sessions on a browser tab-by-browser tab basis. For example, suppose you were using Chrome and you logged on to a Hosted Login website in tab 1 of that browser. You then opened your Hosted Login user profile in a second tab in the same browser. In effect, you’re logged on to the same website in two different browser tabs. So far so good.

Now let’s take this one step further. Suppose you open your user profile in tab 1 and then click Logout; in that case, you’ll be logged off from the website, but only in browser tab 1. Remember the user profile you opened in browser 2? That session is still active, and you can still use that tab to make and submit changes to your user profile, even though you’ve logged off from the site. (Or, to be more accurate, you logged off from your session in browser tab 1.) If you were using a shared computer, that would mean, among other things, that your user profile would be available to anyone else who used that computer, even though you had logged off (or at least you believed that you had logged off) from the site.


📘

In case you were wondering, this behavior was due to a temporarily-unavoidable artifact of the transition from the JavaScript SDK to Hosted Login.


Thanks to a March, 2022 update, however, Hosted Login no longer treats separate browser tabs as being (for our purposes) separate Hosted Login sessions. For example, suppose we repeat the previously-described behavior, and have the same Hosted Login website open in two different browser tabs:

We should note that it doesn’t matter how we started these two instances of Hosted Login. For example, we might have logged in to the website using browser tab 1, then duplicated that tab to create browser tab 2. Or, we might have logged in to the site from browser tab 1, opened a new browser tab, and then logged in a second time. It makes no difference.

In addition to that, when we say “two browser tabs” those tabs can either be running in the same browser window or in separate browser windows. For example, here we’ve opened the same website, and our same user profile, in two different windows:

Either way, what happens when we click the Logout button in one of the browser tabs (it doesn’t matter which one). As you can see, the Logout Successful message is displayed; meanwhile, the user profile appears to still be active in browser tab 2:

However, appearances can be deceiving. If you click on this second browser tab, the window immediately refreshes and the sign-in screen replaces the user profile:

Why? That’s right: because you logged out from browser tab 1. As soon as you clicked Logout, Hosted Login revoked all the access tokens for all the sessions running on this device (more on what that means in a moment). The net result? Not only were you logged out (i.e., had your access token revoked) from the site in browser tab 1, but you were also logged out (i.e., had your access tokens revoked) from that same site in browser tab 2. If you had additional sessions running in browser tabs 3, 4, and 5, you’d be logged out of those sessions as well. In other words, logging out means logging out from the device, and not just from the one browser tab where you clicked Logout.

And that’s a good question: why do we keep talking about devices? Well, as you probably know, in Hosted Login a device consists of:

  • A specific user account.
  • A specific piece of hardware (your computer is one piece of hardware and your cell phone is a second piece of hardware).
  • A specific web browser (Chrome, Safari, Edge, etc.)

In other words, here’s one device:

  • Karim Nafir (user)
  • Karim’s laptop computer
  • Chrome

Here’s a second device:

  • Karim Nafir (user)
  • Karim’s laptop computer
  • Edge

Same user and same hardware, but a different browser: that’s what makes it a different device. Here’s a third device:

  • Karim Nafir (user)
  • Karim’s cell phone
  • Chrome

Same user and same browser, but a different piece of hardware. That makes it a different device.

Why is this important? Well, as we’ve just seen, logging out of one browser tab in Chrome also logs you out of all your other browser tabs in Chrome. But suppose, in addition to those two Chrome browser tabs, we logged onto the same website using Firefox. What happens to the Firefox session when we log out in Chrome? Nothing: that session represents a separate device. Because of that, we can still update our user profile in Firefox:

Or consider this, Suppose we’re using Safari and we log on to a website on our computer; we then use Safari to log on to that same website on our cell phone. If we log off from the site on the computer, that will not log us off from the site on our phone. As we noted before, the ability to revoke access tokens is tied to the device, and not to a specific web browser or a specific piece of hardware.

We should also mention that session logout relies, in part, on a pair of cookies: _csrf_token and aic_authui_{customer_id}. Because cookies aren’t shared between a regular browser window and a private browser window, logging off from a website in a regular browser window won’t log you off from a session running in a private window. For example, suppose you log on to website A in a regular Chrome window. You then open an incognito window and log on to that same website. If you log off from the site in the regular window, the session running in incognito mode continues tro chug along (and vice-versa). That means that, depending on how you want to look at it, a device actually consists of:

  • A specific user account.
  • A specific piece of hardware (your computer is one piece of hardware and your cell phone is a second piece of hardware).
  • A specific web browser (Chrome, Safari, Edge, etc.)
  • A specific browser window mode (regular or private).

So what happens if you’re running a browser instance in private mode and you have the same website open in two different tabs? In that case, session logout works: logout from private tab 1 and you’ll also be logged off in private tab 2. That’s because the same private browser instance can share cookies.