From 279d8ca5d862d55cc0ca667ec552ebf53f6e6629 Mon Sep 17 00:00:00 2001 From: Ranj Rashid <107559176+Ranj101@users.noreply.github.com> Date: Wed, 15 Nov 2023 12:22:23 +0300 Subject: [PATCH 1/2] Update session_cleanup.md --- IdentityServer/v5/docs/content/ui/logout/session_cleanup.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/IdentityServer/v5/docs/content/ui/logout/session_cleanup.md b/IdentityServer/v5/docs/content/ui/logout/session_cleanup.md index 59cee88e..3f372e9f 100644 --- a/IdentityServer/v5/docs/content/ui/logout/session_cleanup.md +++ b/IdentityServer/v5/docs/content/ui/logout/session_cleanup.md @@ -22,9 +22,9 @@ Typically you should prompt the user to logout which requires a POST to remove t Otherwise an attacker could hotlink to your logout page causing the user to be automatically logged out. This means you will need a page to prompt the user to logout. -If a *logoutId* is passed to the login page and the returned *LogoutRequest*'s *ShowSignoutPrompt* is *false* then it is safe to skip the prompt. +If a *logoutId* is passed to the logout page and the returned *LogoutRequest*'s *ShowSignoutPrompt* is *false* then it is safe to skip the prompt. This would occur when the logout page is requested due to a validated client initiated logout via the [end session endpoint]({{}}). -Your logout page process can continue as if they user submitted the post back to logout, in essence calling *SignOutAsync*. +Your logout page process can continue as if the user submitted the post back to logout, in essence calling *SignOutAsync*. ### External Logins From 040244de12df31006840a417e881414949da026b Mon Sep 17 00:00:00 2001 From: Joe DeCock Date: Tue, 28 Nov 2023 12:33:57 -0600 Subject: [PATCH 2/2] Make same fixes on v6, v7 --- IdentityServer/v6/docs/content/ui/logout/session_cleanup.md | 2 +- IdentityServer/v7/docs/content/ui/logout/session_cleanup.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/IdentityServer/v6/docs/content/ui/logout/session_cleanup.md b/IdentityServer/v6/docs/content/ui/logout/session_cleanup.md index a0f2da69..ef64d4e8 100644 --- a/IdentityServer/v6/docs/content/ui/logout/session_cleanup.md +++ b/IdentityServer/v6/docs/content/ui/logout/session_cleanup.md @@ -26,7 +26,7 @@ Typically you should prompt the user to logout which requires a POST to remove t Otherwise an attacker could hotlink to your logout page causing the user to be automatically logged out. This means you will need a page to prompt the user to logout. -If a *logoutId* is passed to the login page and the returned *LogoutRequest*'s *ShowSignoutPrompt* is *false* then it is safe to skip the prompt. +If a *logoutId* is passed to the logout page and the returned *LogoutRequest*'s *ShowSignoutPrompt* is *false* then it is safe to skip the prompt. This would occur when the logout page is requested due to a validated client initiated logout via the [end session endpoint]({{}}). Your logout page process can continue as if the user submitted the post back to logout, in essence calling *SignOutAsync*. diff --git a/IdentityServer/v7/docs/content/ui/logout/session_cleanup.md b/IdentityServer/v7/docs/content/ui/logout/session_cleanup.md index 8c9f864e..fe070dbb 100644 --- a/IdentityServer/v7/docs/content/ui/logout/session_cleanup.md +++ b/IdentityServer/v7/docs/content/ui/logout/session_cleanup.md @@ -26,7 +26,7 @@ Typically you should prompt the user to logout which requires a POST to remove t Otherwise an attacker could hotlink to your logout page causing the user to be automatically logged out. This means you will need a page to prompt the user to logout. -If a *logoutId* is passed to the login page and the returned *LogoutRequest*'s *ShowSignoutPrompt* is *false* then it is safe to skip the prompt. +If a *logoutId* is passed to the logout page and the returned *LogoutRequest*'s *ShowSignoutPrompt* is *false* then it is safe to skip the prompt. This would occur when the logout page is requested due to a validated client initiated logout via the [end session endpoint]({{}}). Your logout page process can continue as if the user submitted the post back to logout, in essence calling *SignOutAsync*.