Hi everyone,

I am compelled to ask because the search turned out a few post that
were somewhat vague and didn't answer all my questions.

I have a website widget that interacts heavily with Twitter. We use
OAuth to authenticate our requests. To logout the users from our side
we destroy the OAuth token. However during the initial OAuth workflow
Twitter places a cookie on the browser, so if the user logs out from
our site but navigates to the Twitter site they are still logged in.
Closing the browser solves this, as it appears the cookie is a session
cookie. Calling the "account/end_session.json" end point does nothing
for use because the call is server side so the cookie doesn't get

I am a little concerned about this behavior since the widget will be
on a public site users can access from public computers. It is
possible the users will log out of our widget but not close the
browser window. At that point someone could navigate to twitter and
still be logged in with their account.

So finally my questions are:
1. Is how do I reliably log users out of Twitter?
2. Is it really necessary for Twitter to send this cookie during the
OAuth workflow? The API is stateless so the cookie is really un-
necessary as far as using the apis is concerned.

Sorry for the lengthy post, responses are greatly appreciated!


Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 

Reply via email to