miniOrange Logo

Products

Plugins

Pricing

Resources

Company

Redefining SLO - Secure Logouts

Discover how Single Logout (SLO) in Drupal enhances security by syncing session expiry with token expiry. Eliminate dormant sessions, prevent misuse, and ensure secure logouts across all connected applications.

Updated On: Sep 17, 2025

Introduction

We have all done it - we log into a service - that too on a shared device - and when we’re done with it, we simply close the browser tab and walk away thinking we’ve been automatically logged out, since an active session does not exist anymore. This is like unlocking the door to your house, and leaving the keys in the lock when you leave. Not a secure way to live, is it now?

But maybe you’re a bit smarter than the average joe, and you do remember to log out from a shared device once you’re done with it. But what if the system you’re using isn't that smart? You log out of one app only to discover you're still signed in on another.

That’s a Zombie Session. Still alive, and still accessible. One of the scariest gaps in your site's security. They are an open invitation for misuse and theft.

And Attackers love forgotten sessions.

But there is a solution - a long lived concept - Single Logout or SLO, for short. This is nothing new. But we’ve gone a step further and have given it a glow-up.

When a user manually logs out, the drupal session is terminated and assuming SLO is configured, the IDP session would be terminated as well. We just add bit out added security, and invalidate the token to prevent misuse.

The new and improved miniOrange Drupal OAuth Client Module, makes SLO smarter, by linking user sessions directly to the Access or ID token - specifically the token expiry. This automatically triggers SLO when your token expires.

That brings us to idle sessions. They need to be handled separately. We can take care of it using a setting in the Session Management module - the auto-logout. You can set a threshold value (in seconds) for inactivity, and if a user remains inactive beyond the configured time, auto-logout will take place first, and then SLO will follow to ensure the session is fully terminated from the IdP side as well.

Let’s take a look at the components involved:

What’s an ID Token?

You can think of it as your temporary pass/token - it is a digitally signed piece of information issued by the IdP after a user is successfully authenticated via something like OIDC. It contains details like the user’s identity, authentication time, and a set expiry.

How long does a session last or what is Session Timeout?

Session Timeout - It defines how long a user’s login session remains active on a site/application before it expires. By default, drupal has its own session timeouts. But with OAuth client, the drupal session timeout is directly synchronized with the Access or ID token expiry.

What is Single Log Out?

Single Log Out (SLO) is a process that ends active sessions across all connected applications in one go. When triggered, it logs the user out from not just SP, but also from the Identity Source, and based on the configurations IDP - any other apps linked to it.

Smarter SLO

You can configure SLO through the miniOrange Drupal OAuth Client Module. Here’s the link to a guide that outlines how you can configure SLO between Drupal and Okta.

This is where it gets better - The OAuth Server issues an Access or ID Token when a user signs in. That token has a set expiry, that’s standard. When a user logs in, their session is created in Drupal. This session too, has a defined expiry.

What if the expiries were to figuratively sync up?

The OAuth Client Module, reads the token expiry and when the token expires, the module kills the Drupal session as well. And now, the SLO comes into play to log the user out of other connected apps too (again, this depends on the IDP / OAuth Provider you’re using) - for example, logging out of your Gmail session, kills all sessions across YouTube, Google Sheets and the entire suite of apps, connected to Google - the Identity Source.

The beauty of this feature? You don’t have to configure timeouts in a dozen places. The IdP sets the rule (default: 60 mins), and Drupal follows it.

The bottom line?

No extra clicks. No zombie sessions. No loose ends.

Users don't have to wonder if they are still logged in somewhere. As there would be no forgotten sessions there would be fewer attack opportunities.

And.. that’s pretty much it: Your risk of zombie sessions is eliminated; your site stays secure and your sessions stay in sync.

If you’re already a part of our miniOrange Drupal Community, upgrade to the latest version right away. If not, we’d love to have you on-board!

Here’s a link to know more. But if you’d like this out for a test drive, we can get you set up with a 7-day trial.

author profile picture

miniOrange

Author

Leave a Comment

    contact us button