The website is run almost 100% of the time from ‘shared’ computers, like those found in a career center. User A comes to my website, signs into the site and then authorizes the Twitter app, which stores their session in the browser, along with, effectively, signing them into twitter.com.
User A now leaves my application by signing out of my site - but not closing the browser.
User B arrives, logs into my site with their login, but the Twitter session is still active (due to the browser staying open), so any Twitter app integrations I’ve included will show as if it is still user A, correct?
So the question is, what are the recommended ways to deal with this? Two options come to mind:
When the user signs out of my website, I log them out of the Twitter API, so that all of the sessions are killed. Pros - I can ensure that user’s signing into the site will not have old sessions hanging around. Cons - a user who is returning shortly after leaving will have to re-login to Twitter as well as my site to see the Twitter integrations - I’d love to avoid the user ALWAYS having to do two logins. Secondly, forcing the Twitter logout when they leave my site kills any active sessions they have at twitter.com, which makes for a bad user experience as they would not ‘get’ why logging out of my site has anything to do with twitter.com, and will then have to re-signin to twitter.com.
The second option would be that when the user authorizes the Twitter app, I take their member ID and store that locally. Then, when a user returns to the site and signs in, I check their Twitter auth status, and if logged in to Twitter, pull their member ID and check it against the one I have stored locally. If they match, I have the correct user, if not, I do a Twitter logout and have them sign in to Twitter. Pros - this should ensure I always have the correct user to the site. Cons - not sure if getting, storing the member ID is feasible.
Any suggestions or pointers to the ‘best practice’ when it comes to ensuring that the current user is indeed the one associated with the Twitter account, specifically in this ‘shared computing’ situation where sessions may overlap?