Yes, yet another logout question. Sorry about that :)
From what I understand, the recommended logout procedure is to include a page in the web application destroying the app-token session and proving a link to the https://weblogin/logout page to destroy the SSO cookie and telling the user to close the browser application.
I know that it's a feature that WebAUTH doesn't set any domain cookies, but targets each cookie to the specific host, but what would theoretically be wrong with including a domain cookie common to all applications (in those setups where that's possible) to let an application verify that there's still a live SSO session, requiring there to be one before accepting the application session and potentially destroy that cookie, terminating all application sessions, when the user logs out?
I see that there's reasons in some WebAUTH setups why domain cookies are a bad idea - namely those where SSO is handles without cookie by HTTP Negotiate. But as a thought experiment, what other reasons are there?
The FAQ mentiones something about NAT traversal. But how does that influence such a solution?
/Peter
