Thinking behind logout process

Hi guys, please can you explain your thinking behind the session and cookie destruction in the logout method?

I'd suggest PHPAuth should only kill session data directly related to auth & login, not the entire session. Killing the entire session has impact on other code outside of PHPAuth. For example, if the session is used to also retain for example "last used" (e.g.: "last search terms", "id of last thing looked at"), this session data may need to be preserved.

Imagine a menu where "recent searches", "recent products viewed" is an option, and those recent searches are retained in the session (rather than a backend DB). The user may want to log out, then log in again a few mins later or even view the site from a "not logged in state", and from a user experience point of view they'd expect to still see their "recent searches".

Hard killing the session in the way you do it can also cause other problems, e.g.: with ajax requests etc. I get why you've probably done this, but you're making the assumption that only valid activities can happen following a PHPAuth login - which isn't the case in many real world applications.

Thank you

Fyi I've fixed this in my PHP-AuthExtra extend, logout now only removes PHPAuth data and leaves the rest of the session intact

[ocram]

Good point and excellent description, thank you!

We will refactor the current logout method into two individual methods logoutButKeepSession and destroySession, which could be called separately, if required.

The logoutButKeepSession method will comprise the first half of the logout method's code. In addition to that, it will unset all the session data used by this library, but only those. For that purpose, the constants in the Auth class starting with SESSION_FIELD_ will be used.

The destroySession method will comprise the second half of the logout method's code.

The logout method will then just call both methods one after the other.

[ocram]

Implemented in:

• 1a195ad
• 82a24fb
• 4047396
• 16bcfa8
• 0b67f3d