we have a case where a sites page is being used as a login screen, then internally it logs in the customer portal after. then the logout facility is used by redirecting to /secur/logout.jsp

after logout, in the URL, input the Sites URL + a VisualForce page that can only be accessed while logged in.

What happens is that SalesForce allowed the access and logs as last user that logged in.

example:

sites URL = https://company.na1.force.com/

after logging in, we browse through the system, let's say: the URL is now https://na1.salesforce.com/apex/SamplePage

assuming that SamplePage is one of the VF pages implemented and can only be accessed by a logged in portal user.

then click on logout -> used https://na1.salesforce.com/secur/logout.jsp

then, input in URL: https://company.na1.force.com/apex/SamplePage

The browser will redirect to the page as if the previous user is logged in.

after some investigation, it seems that the cookie for https://na1.salesforce.com domain is the only one invalidated and https://company.na1.force.com/ domain cookie is still valid, allowing the access to the system.

it seems that we need to logout by redirecting to https://company.na1.force.com/secur/logout.jsp too to invalidate both cookies.

My idea is on click of logout, it will redirect into a blank VF page that logs out using https://company.na1.force.com/secur/logout.jsp in an iFrame, then, redirect to https://na1.salesforce.com/secur/logout.jsp

Do you have any better ideas?