Call logout() after a failed login

This is an archived page. It's not actively maintained.

On November 30th, 2016, Mozilla shut down the services. and related domains will soon be taken offline.

For more information, see this guide to migrating your site away from Persona:

After your onlogin handler gets called with an assertion, if for any reason you can't use the assertion to log the user in, you must call

If you don't, then the next time you call Persona will immediately call your onlogin handler again, with the same assertion. Typically this will lead to an endless loop of failed login attempts:

  1. the user clicks "Sign In"
  2. the user interacts with the Persona interface, and Persona generates an assertion
  3. Persona delivers the assertion to the page's onlogin handler
  4. the onlogin handler rejects the assertion, and redirects the user to the login page
  5. the login page loads, calls, and we go back to (3)

The reason is that Persona tries to remember which email you want to use to log into a particular site. Once the user has tried to log into your site as, Persona remembers that this is the address they want to use with your site. Then when the next page load calls with a loggedInUser of "null", Persona compares that with its value of "", and sends the assertion again.

To make Persona forget the association between your site and the email address, call if you don't want to log the user in with that assertion. This might be because the assertion does not validate, or because you don't want to use the given email address.

A common scenario where this is a problem is when an RP wants to allow users to sign in with Persona, but does not want to let them sign up with Persona, preferring some custom registration system for new users. In this case, when you get an assertion, you'll check that the email address it contains is for one of your existing users, and reject the login attempt if it is not. If you do reject this assertion, you must call