21 July 2008

Logoff Anti-Pattern

At the company I work for the time management system uses a problematic logoff solution. A logged-in user signs off by clicking a link, which displays a javascript dialog box asking for confirmation. When choosing yes, a popup window is opened that performs the actual logoff functionality. The problem is that this popup window is blocked by popup blockers, and the user is not logged off. Naturally the browser shows a visual clue that a popup window has been blocked, but this is easily overlooked, leaving users logged on, while they think they're logged off. This ofcourse poses a security threat, one that easily could have been avoided. Don't use a popup to sign a user off!

0 comments: