Thread

I’m currently thinking about what happens when I log out of a website, and how that applies to Community Auth. Right now, when logging out, only the authentication related data is destroyed. Would it be “normal” to destroy the entire session? Should it be a configuration option to be able to choose how this is handled? I’m leaning on making it a configuration option so website owners can choose how logout is handled.

For instance, if I have an eCommerce site and I have a cart full of items, and am logged in to the website, when I log out, should the shopping cart data also be destroyed?

On the other side, if the cookie can be destroyed and the session no longer needs to be maintained, then the cookie can be totally removed.

I’m just going through this thing where I don’t want to have session cookies in use if there is no reason to have them. Why have a cookie if there’s no reason to have it?

Maybe when unsetting the authentication data, if no other userdata exists, then destroy the entire cookie? What do you think?

Sounds good to me skunkbad.

If you use setcookie with an expire time of 0 it will delete it on browser close.

Sounds good to me skunkbad.

If you use setcookie with an expire time of 0 it will delete it on browser close.

Well, I do have it set by default to delete on browser close, but maybe it should be deleted even sooner?

I never delete session cookies, but that is mainly because I also store user related stuff in the session that is not related to the users authenticated state. Like for example to remember selection criteria, sort orders, etc.

I would only destroy it if no other user data exists, as you said.  I use sessions for a lot of things and wouldn’t be to happy if an auth system or shopping cart system destroyed my data.  Leave that part up to me.  😊

Actually, with a shopping cart system, I wouldn’t destroy the data.  I’d put it in a separate table and use it to try to recapture the sale by sending them an email reminder that they still have items in their shopping cart (in case it was an accident that they left it) and that will be removed in 48 hours if no action is taken (then a daily cron job removing data older than 48 hours).  You’d be surprised, or maybe you wouldn’t, at how many sales get recaptured this way.

I would delete them when the user logs out, but you need to take into account if the user has a remember me cookie but I make those a seperate cookie from the sessions.

Hey, thanks for all of your responses. It’s good to have somebody to talk to (and listen to).

I would delete them when the user logs out, but you need to take into account if the user has a remember me cookie but I make those a seperate cookie from the sessions.

Since you are setting a remember me cookie as a separate cookie, if you were autoloading the session class, do you have something like this in a MY_Controller:

if( isset( $_COOKIE['rememberMe'] ) )
{
     $this->session->sess_expire_on_close = FALSE;
     $this->session->sess_expiration = $_COOKIE['rememberMe'];
}

If remember me is checked when logging in:

if( $this->input->post('remember_me') == '1' )
{
     $cookie = array(
         'name'   => 'rememberMe',
         'value'  => (60*60*24*365*20),
         'expire' => (60*60*24*365*20)
     );

     $this->input->set_cookie($cookie);
}

So, my opinion on this topic: Whenever a user changes his/her permissions/rights, I destroy the session and create a new one. I think, it’s almost best practice since you won’t have any old artifacts from before logging in or out.
When it comes to remember-me functionality I always have the information separated into a cookie on the user’s side and a row in my remember_me-table. Whenever the user logs out I remove any rows within the remember_me-table which match the user’s ID. Since the remember-me logic needs both the cookie and a row inside the database to remember the user it’s the most convenient way to “forget” a user was logged in. Of course, to push security to a higher level it would be safer to also unset the cookie but I think, as long as the server doesn’t recall the user and requires him to log in again it’s pretty good, actually 😉

Nope, My remember me is all seperate from my sessions.

I store a hash key and a remember me key in the cookie and the users database record.

I regenerate the cookie hash key every 5 minutes for security. For auto logging the user in I just check to see if they have a cookie and then check to see if the hash keys match. the hash key is using sha512.

But I do alot of this in the MY_Controller.

I ended up coming up with a simple solution for remember me, touching only my authentication library and MY_Session. Commit was yesterday. It’s just a simply second cookie solution.