Hello,I'm currently developing a solution to log out a user from the community sessions automatically. I followed the API Reference here: https://developer.khoros.com/khoroscommunitydevdocs/reference/authsignoutI am currently getting the correct response of the user being signed out of all sessions but when I go to the community forums with my test user I can still see the user logged in.This is the json response that I am receiving:{ "status":"success", "message":"", "data": { "signed_off_all_sessions":true, "id":"#######" } }Context: we do use a cookie for our users to log into the community site if they are logged into our site. But I have made sure to just be logged into the community site without said cookie when trying this call out. Any help would be welcomed.

Hi marvide This seems like a bug with the signoff logic that runs when you make the call (it also seems like a bug that it doesn't sign off web sessions when you use OAuth). Would you mind opening a support case for this? That will get a bug opened in our system which we can track and get resolved for you. Please reference this thread in the case when you open one. Thanks, -Doug

I tried sending the lithiumLogin:{community id} with a new value and with a past expiry date but that did not work either... looks like the cookie is still there.Also tried sending a curlopt_cookielist, 'all', which supposedly deletes all cookies but it just didn't happen.Do I need to send this cookies in a separate call? I believe that this is it, but I have been unable to do it successfuly.The cookies are indeed deleted / updated after I send the call, but my user still has its session open anyway, has it got to do with the roles of the user making the call? Like, could I be receiving the `success` message but the function not actually working?

Hi marvide. I've passed this on to our Engineering team. Hoping to get a reply back later today or tomorrow.

Are you using the correct body parameter for your setup? E.g. sso_id if your setup is using SSO or just id when you are using Khoros community authentication. Not sure if mixing them up would actually work, but I've personally already mixed up ids versus SSO ids before 😛

I was indeed sending both the id and the sso_id at the same time. Right now I tried just sending the sso_id like this: { sso_id: $user_sso_id } And it's still returning the correct response of all sessions being logged out, but I am still clearly not logged out. 😞 Edit: Just tried sending the user id like so{ id : $user_id }And still, the user is not logged out.

Logging a user out not working

12 Replies

Claudius
Boss
4 years ago
Are you using the correct body parameter for your setup? E.g. sso_id if your setup is using SSO or just id when you are using Khoros community authentication. Not sure if mixing them up would actually work, but I've personally already mixed up ids versus SSO ids before 😛
marvide
Adept
4 years ago
I was indeed sending both the id and the sso_id at the same time. Right now I tried just sending the sso_id like this:

{ sso_id: $user_sso_id }

And it's still returning the correct response of all sessions being logged out, but I am still clearly not logged out. 😞

Edit: Just tried sending the user id like so
{ id : $user_id }
And still, the user is not logged out.
Claudius
Boss
4 years ago
Maybe signing out on server side isn't sufficient and there are Khoros session cookies on your browser client that immediately sign the user back in?
Maybe try deleting all Khoros session related cookies at the same time to rule that out. As a starting point you can look at the Khoros Cookies Datasheet (Community, Care, Marketing, Khoros Bot)
marvide
Adept
4 years ago
~~I tried sending the lithiumLogin:{community id} with a new value and with a past expiry date but that did not work either... looks like the cookie is still there.~~
~~Also tried sending a curlopt_cookielist, 'all', which supposedly deletes all cookies but it just didn't happen.~~
~~Do I need to send this cookies in a separate call? I believe that this is it, but I have been unable to do it successfuly.~~
The cookies are indeed deleted / updated after I send the call, but my user still has its session open anyway, has it got to do with the roles of the user making the call? Like, could I be receiving the `success` message but the function not actually working?
marvide
Adept
4 years ago
I still have not found what the issue seems to be.
My staging user and production user have the same grants, and I checked that both have `Manage roles, user bans, and abuse notifications in admin and user profiles` permission as granted.
The staging user does sign out other users when making the call to the staging api while the prod user does not.

I would love some more insight into this one, because I think I've already exhausted all my options.
SuzieH
Khoros Alumni (Retired)
4 years ago
DougS any insights for marvide? It looks like we might need an update on our Signout API docs.
marvide
Adept
4 years ago
Hi, are there any news on this?
I keep receiving success messages from the API, but my users are not being signed out in production. Is it some sort of configuration mismatch between the production and staging environment?
Once again, I reviewed and both staging and production users have the same grants/allow grants. Also, their roles have the same grants/allow grants.
marvide
Adept
4 years ago
DougS SuzieH any updates? 😞
SuzieH
Khoros Alumni (Retired)
4 years ago
Hi marvide. I've passed this on to our Engineering team. Hoping to get a reply back later today or tomorrow.
DougS
Khoros Oracle
4 years ago
Hi marvide

I seem to have missed this thread when I was mentioned before. Apologies for that.

Are you using OAuth 2.0 (passing Authorization and client-id headers) or a REST V1 Session Key (passing li-api-session-key header or restapi.session_key parameter) to authenticate to the API when you make the signout call? Also, are you making the signout call as the same user you are signing out, or a different user?

It looks like if you authenticate via OAuth 2.0 it signs off your OAuth user (revokes your access token), but doesn't sign you out of any web sessions you have going.

-Doug