Add a few notes on logout implementation

README.md

@@ -121,3 +121,23 @@ parameters:
 Note that annoyingly *cur_svc* and *cur_nonce* are redundant, as they
 are already contained within *cur_tkt*, but the SSO ticket API won't
 allow us to decode the ticket without verifying it at the same time.
+
+
+# Implementation notes
+
+The single-sign-on functionality works using HTTP cookies and
+redirects between the protected service and the SSO server implemented
+in this package. This part works without any Javascript, it's just
+plain old HTTP (the browser must accept cookies though). SSO cookies
+have a builtin (signed) expiration timestamp, and are set to be
+automatically deleted on browser exit.
+
+Logout, on the other hand, is more complex: in order to get the
+browser to delete the cookies from the signed-in services, we use
+XMLHttpRequests from the logout page, and expect the service logout
+endpoints to support authenticated CORS. If Javascript is not
+available, however, we try to clear the cookies using image requests,
+but this may not work depending on the browser (Safari), or the
+presence of privacy-protecting extensions meant to block third-party
+cookies. In this case a message is displayed asking the user to quit
+the browser, but this isn't really a satisfying solution.