Logging out of Launchpad doesn't really log you out

Bug 329178 is somewhat related.

I think this happens because when you authorize the OP to send your details to Launchpad, the OP stores that authorization and keep it valid for some time, so the next time you login the OP will send your account details without asking for your permission.

AFAIK, the only thing that Launchpad could do is to tell the OP to always require the user to *authenticate*, but I'm not sure that's what we want.

Assuming I understand the problem you're describing ... as a short-term fix, you can redirect your users on logout to https://login.launchpad.net/+logout. This isn't a perfect UX because there's currently no direct way back to the calling site but it seems to be working as a temporary fix for U1. We're working on a better longer-term fix.

I think we ought to do what Stuart suggests, quickly.

I have some inconclusive thoughts on a longer-term solution, following.

Since we are hoping to switch to HTTP for much of Launchpad, we have been contemplating making HTTP session cookies last only a day or less (while HTTPS session cookies might last much longer, as they do). This would mitigate the risk of stolen session cookies.

If we did that, when an OP still thinks that a user is logged in and Launchpad has timed out an HTTP session, I would like the OP to re-authenticate the Launchpad session without user interaction. That is, it would just do the redirect dance *without* requiring the user to click "OK" again. This would make more frequent Launchpad HTTP re-authentication much less painful.

However, if a user explicitly logs out of Launchpad, it would be reasonable to force the OP to re-authenticate the next time the user logs in.

Is there any way to make this story work, other than the short-term solution we will be implementing per Stuart's suggestion? Does anyone disagree on my goals?

I don't see

Fixed in stable r10855 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/10855>