Yahoo account remains open after using openID to login.why?

Question

i have added openid login with Yahoo! and Google in my site. it is ok and works fine.

when users select for example Yahoo! to login to my site, they will be logged in in their yahoo mail account too.

i think it is not secure because maybe they don't notice to this issue and leave computer while their email account is availble.

what do you think about this and what is your solution for your own sites? as i notice the same story is for stackoverflow.com.

Answer 1

It's typically a session cookie, so if they close the browser they'll be okay, but I get your concern. I'd actually be curious to hear what the Yahoo! team has to say about this themselves; if nobody from Y! finds this question I'd ask over at the Yahoo OpenID Developer Forum.

Answer 2

When you login to OpenID with yahoo, there will be 2 sessions, one is for yahoo.com domain and another is a session for target site (for example stackoverflow.com).

With the session from target site (from stackoverflow.com domain), attacker cannot do anything on your main yahoo account even if your cookies on target site exposed.

If you worry about your yahoo account, you could logout from yahoo.com domain after you've been authenticated with stackoverflow.com

Note: Its not only with yahoo, google and others also same machanisms, should be no problem with that.