I was updating my passwords on various websites recently. However, one thing came to my mind: When should a web application disables all of one’s (other) logins on different places/computers? Should it explicitly provide a button to do this “global logout” thing?
For the first question, I was surprised that only a few services do that; they don’t do that when you login (since they allow multiple logins at once), they don’t do that when you logout, and they don’t do that even when you change the password (Skype is the only service I encountered do this; when I changed my password on the website, the Skype app pop up and demanding the new password to entered.)
For example, even though I changed the password with Firefox on my laptop, Facebook, Google, and Twitter logins on my mobile/cellular phone (that runs Opera Mini) still not disabled. For these logins, I guess the only way to disable them without going to the computer/machine and press “Logout” explicitly is to wait for the cookies to expire.
For the second question, my answer is yes. I provide the function as a check box under the login form when writing a web app. My app also do this when the password changes. Why? Since cookies are issued when people login with right password, cookies shouldn’t remain as now the password created the cookie are considered wrong.
The problem is serious. Think about it: You can cancel your credit cards if your wallet is stolen, but you can’t cancel a cookie remotely whatsoever. How would I suppose to protect my identities if my phone is stolen? Think about it, when you write your next app :-P. And please think about it, Yahoo, Facebook, and Twitter.