Should logging out delete ALL persistent sessions?

Hi guys not been here for a while. The forums seem to have changed massively since I last posted!

An application I am developing has one of those “remember me for 30 days” features.

When a user logs out their persistent session is currently remembered. This means when they return later they are still automatically logged in. Does this idea seem right to people? Should logging out also destory your persistent session?

The system is also designed so that a user can have multiple persistent sessions mapped to a single username. When they log out should all of the sessions on other browsers/systems be deleted too?

Thanks for the feedback.

When you say the “user logs out” do you mean they simply close their browser or they actively click something to log out? The difference is huge, as far as I’m concerned. If the user set the 30 day feature and then just closes the browser, they should probably stay logged in. However, if the user actively attempts to log out then the 30 day rule is out the window and the session should be destroyed entirely.

Sorry for the lack of clarity. I mean when the user clicks the “log out” link.

If the user clicks the logout link then they should be logged out.

If they ticked “Remember Me” then their username should be filled in automatically on the login screen the next time they visit.

Yes, if they are logging out, they are logging out. Setting a cookie is for when they close the browser (or just the page tab). As part of the logout you should clear the cookie.

The cookie that identifies them as logged in should be cleared. The cookie that remembers their username so they don’t need to type it the next time they log in should be kept.

The browser can do that without the cookie.

Not necessarily. It depends on the browser and the browser settings. If all browsers did that automatically there’d be no need for any login forms to include a “remember me” checkbox.

Should is only your opinion here. There may be privacy concerns - for example, after I log out I may not want other people to know that I was visiting the site. Especially when the email address is used as login. And really important on banking sites, etc. Also, as Morris said, every modern browser remembers input form data, so no need to replicate that with a cookie. I am the one who doesn’t like seeing my username filled in automatically after I log out of the site.

And that is a good thing and let it stay that way - I can control this behaviour in my browser settings and I don’t want web sites to impose on me filling in my username automatically.

If all browsers did that automatically there’d be no need for any login forms to include a “remember me” checkbox.

There is a difference between a browser remembering my credentials and “remember me” function. When I rely on my browser then I get logged out each time I end my session and when I come back I need to log in again through a login form so each time I come back I get to choose whether I want to log in (in a single click since my browser fills in my credentials) or browse the site as a guest. When I check “remember me” then each time I come back I am already logged in, no need to go through the login form again.

I don’t think so. I may visit a site regularly from my home computer which uses a persistent session because I trust that no one will take advantage of that. However, I may occasionally log in to the same site on someone else’s computer and then log out and I wouldn’t want my home session to end.

Two things to concider:

  • when a user changes password then all his persistent sessions are deleted except the current one
  • optionally, you could enable users to delete all their persistent sessions if they wish, for example in the user control panel