Sometimes Logout does not disconnect the user

[micheldiemer]

Sometimes Logout does not disconnect the user. The cookie is not correctly removed.
In particular when changing the security level.
When removing the cookie, the options must be the same as when creating the cookie.

Fine includes/process-commands.php

/* EXISTING CODE */
case "logout":

    setcookie("uid", "deleted", time() - 3600);
    setcookie("username", "deleted", time() - 3600);

    /* NEW CODE TO ADD */
    /* Make sure the cookie is removed, no matter how it has been created */
    $l_cookie_options = array(
        'expires' => time() - 3600,              // 0 means session cookie
        'path' => '/',               // '/' means entire domain
        //'domain' => '.example.com', // default is current domain
        'secure' => FALSE,           // true or false
        'httponly' => TRUE,         // true or false
        'samesite' => 'Strict'          // None || Lax  || Strict
    );
    setcookie("username", "deleted", $l_cookie_options);
    setcookie("uid", "deleted", $l_cookie_options);

    //setrawcookie() allows for response splitting
    $lUsernameCookie = $lRecord->username;
    $l_cookie_options = array(
        'expires' => time() - 3600,              // 0 means session cookie
        'path' => '/',               // '/' means entire domain
        //'domain' => '.example.com', // default is current domain
        'secure' => FALSE,           // true or false
        'httponly' => FALSE,         // true or false
        'samesite' => 'Lax'          // None || Lax  || Strict
    );
    setrawcookie("username", "deleted", $l_cookie_options);
    setrawcookie("uid", "deleted", $l_cookie_options);

[webpwnized]

Thanks. Fixed in version 2.10.8.