From dc62a1d65832c8a3f73e7a0cffb78ad0b4d3d8fc Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 18 Feb 2018 15:46:43 +0000
Subject: [PATCH] Add a few notes on logout implementation

---
 README.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/README.md b/README.md
index 023f892..9bd4afb 100644
--- a/README.md
+++ b/README.md
@@ -121,3 +121,23 @@ parameters:
 Note that annoyingly *cur_svc* and *cur_nonce* are redundant, as they
 are already contained within *cur_tkt*, but the SSO ticket API won't
 allow us to decode the ticket without verifying it at the same time.
+
+
+# Implementation notes
+
+The single-sign-on functionality works using HTTP cookies and
+redirects between the protected service and the SSO server implemented
+in this package. This part works without any Javascript, it's just
+plain old HTTP (the browser must accept cookies though). SSO cookies
+have a builtin (signed) expiration timestamp, and are set to be
+automatically deleted on browser exit.
+
+Logout, on the other hand, is more complex: in order to get the
+browser to delete the cookies from the signed-in services, we use
+XMLHttpRequests from the logout page, and expect the service logout
+endpoints to support authenticated CORS. If Javascript is not
+available, however, we try to clear the cookies using image requests,
+but this may not work depending on the browser (Safari), or the
+presence of privacy-protecting extensions meant to block third-party
+cookies. In this case a message is displayed asking the user to quit
+the browser, but this isn't really a satisfying solution.
-- 
GitLab