Coffeehouse Post

Single Post Permalink

View Thread: Microsoft Accounts / Live Id signing out completely broken
  • User profile image

    TLDR: Clear your cookies.

    So keep in mind I don't work for LiveID/Microsoft account etc, however single sign on etc. do fall into my day to day work.

    Basically it's browsers, and their increasing security. Let's think about how single sign on works

    1. You browse to a web site that accepts OpenID, facebook logons, LiveIDs, whatever.
    2. You click sign on
    3. It goes to the identity provider.
    4. The identity provider has a check box which says "Keep me logged in"
    5. You check that box and login
    6. The IdP drops a cookie which says "Keep me logged in". This cookie can only be seen by the IdP.
    7. The IdP forwards you, via a form submit usually, which an identity token in the message.
    8. The original web site picks the token apart and logs you in.

    Now - logout. You can logout from the original site, because the original site can clear it's own cookies. What it can't do is clear the "Keep me logged in" cookie that the IdP dropped in step 4 because of the browser's same original policy. As browser security increased the ways to get around SOP were closed.

    It's not just a LiveID problem, it's any 3rd party IdP which allows you to have a "Keep me logged in" function which will send a token back without any interaction.

    So the only way to logout is to delete the cookie dropped in step 4. Look for etc cookies and scrub them.