Section
2.1.4
Top Level
General
If you support some form of single or reduced sign-on, ensure that when a user signs off, they are signed off all the related sites with a single action.
Django

The built-in contrib.auth.views.logout view will delete the user's session ID from the session store and give the user a new session cookie, effectively logging the user out of any site using the old session cookie.

Java

In J2EE, use HttpSession.invalidate() to invalidate a current session. Also ensure that your application is in a proper state before and after invalidating a session.

Natural Webagent

Use EID authentication only. Don't create your own authentication system.

PHP

To invalidate a current session:

session_destroy();

Also ensure that your application is in a proper state before and after invalidating a session