Closed (fixed)
Project:
Drupal core
Version:
7.x-dev
Component:
user system
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
7 Sep 2008 at 03:34 UTC
Updated:
18 Jan 2012 at 14:29 UTC
The attached patch unsets the session data, and removes the cookie from the browser when someone logs off.
| Comment | File | Size | Author |
|---|---|---|---|
| session-destroy.patch | 770 bytes | kbahey |
Comments
Comment #1
lilou commentedComment #2
maartenvg commentedI don't think this is a good idea. The function sess_destroy_sid($sid) should be used to destroy the session of the user with the session_id $sid, not (also) the session of the current user. If a session_id of a specific user X (not being the current user) is fed into this function, both the current user and user X will be logged out, which is not the desired behavior.
The only way I can think of how this might become functional, is creating a sess_destroy_current(), which calls session_destroy_uid() with the current UID, and then destroys the cookies and session.
Comment #3
damien tournoud commentedsess_destroy_sid()is registered to the PHP session handler usingsession_set_save_handler(), as described in the PHP manual [1]:The cookie management is handled by the PHP session handler. We don't have anything to do here.
[1] http://www.php.net/manual/en/function.session-set-save-handler.php
Comment #4
kbahey commentedDamien
The handler we have just deletes the sid from the database, and is passed the sid as an argument. It does not do anything else.
If you look at session_destroy()'s documentation, the example does exactly what this patch does: a) unsets the session data, and b) destroys the cookie. We don't need to do anything to the sid since the sess_destroy_sid() function takes care of that.
Perhaps we can change the
$_SESSION = array()to session_unset() too, but the main point here is not to leave the cookie in the browser.Comment #5
moshe weitzman commentedI do not think cookie destroy is handled automatically by php so this is a useful patch. Code looks good to me.
Comment #6
Anonymous (not verified) commentedThe last submitted patch failed testing.
Comment #7
valthebaldBoth 8.x-dev and 7.x-dev session.inc contain the code from the patch.
Given the age of the issue, it was probably fixed by other patch