3.1.1.5 Federation Partner Session Lists for Web Browser Requestors

The protocol wsignout1.0 request message and wsignoutcleanup1.0 messages do not explicitly identify the user who has triggered the sign-out operation. The web browser requestor that transports these messages is the only link to the user. Thus, to process the wsignout1.0 request message and the wsignoutcleanup1.0 request message, a user's activity MUST be tracked in terms of the activity of the user's web browser requestor. Federation partners MUST uniquely identify individual web browser requestors. This MAY<43> be done by setting an HTTP session cookie that contains a unique identifier. For more information, see [RFC2965].

web browser requestor session: This is a list of security tokens that was issued to (or received from) a specific instance of a web browser requestor in response to Microsoft Web Browser Federated Sign-On Protocol messages. A web browser requestor session is delimited by the user starting and stopping an instance of the software that implements a web browser requestor. For example, if a user was to start two instances of the same web browser requestor software in parallel to obtain security tokens, this would be treated as two sessions. A requestor IP/STS MUST maintain the list in terms of relying parties using the value of the Audience element from each security token issued during the web browser requestor session. A relying party MUST maintain the list in terms of requestor IP/STSs using the value of the Issuer element from each security token received during the web browser requestor session.