Hi. Just spent a bunch of time on this so I thought I'd bring it up. I suggest you add the following to the documentation:

It is recommended that you set the path /logout to be a secure page. On logout, in certain cases (especially on high performance sites), there is a need to clear out any cookies that might have been set to properly clean up the session. This avoids problems with upstream caching proxies such as Varnish. If the /logout page is not secure, the SSL cookie that is set by this module isn't available in the $_COOKIES array. You can then wind up with the normal session cookie having been removed, but the SSL cookie remaining on the site.

I hope that makes sense.

Comments

rjbrown99’s picture

izmeez’s picture

subscribing

shadowmihai’s picture

subscribing

cedarm’s picture

Makes sense to me, although from the HTTP perspective the session is already "clean" because the SSL cookie "doesn't exist".

@rjbrown99 can you elaborate on the case(s) where having the SSL cookie hang around affects things?

rjbrown99’s picture

Sure. For purposes of my upstream reverse proxy (varnish), it won't cache anything where it sees a valid cookie for the site. So I have a user that logs out of the authenticated portion of the site, the standard Drupal cookie is cleared but the SSL cookie remains. In that case, Varnish still sees a cookie and won't cache anything. If I properly remove all of the cookies now the user can surf the unauthenticated portion of the site and have everything cached.

cedarm’s picture

I'm working on exactly this with varnish right now and that's my point. Varnish doesn't support SSL and because of the https only flag on the SSL cookie varnish will never see it and therefore return cached pages. Or do you have something in front of Varnish to handle the SSL side? Hmm.. I suppose in that case varnish would get the SSL cookie.