Section
2.1.4
Top Level
Sub Level
General
If you support some form of single or reduced sign-on, ensure that when a user signs off, they are signed off all the related sites with a single action.
Django
The built-in contrib.auth.views.logout
view will delete the user's session ID from the session store and give the user a new session cookie, effectively logging the user out of any site using the old session cookie.
Java
In J2EE, use HttpSession.invalidate()
to invalidate a current session. Also ensure that your application is in a proper state before and after invalidating a session.
Natural Webagent
Use EID authentication only. Don't create your own authentication system.
PHP
To invalidate a current session:
session_destroy();
Also ensure that your application is in a proper state before and after invalidating a session