0

It was advised on this website that in order to implement strong logout functionality you must mark session IDs as obsolete.

I was wondering how exactly you would do this? I have included session_regenerate_id(true), but I'm not sure if that marks the session ID as obsolete.

When the log out form on the index page is submitted they are sent back to the login page:

Login page:

if(isset($_POST["log_out"]) && ($_POST["log_out"] == '1')) {
    //this means we have come from another page after pressing the log out button 
    //so therefore we remove session variables and destroy session

    //The logout function on your website should mark session IDs as obsolete.
    session_regenerate_id(true); //is this right????????

    session_unset(); 
    session_destroy(); 
    $loginMessage = "You have been logged out";
}

Index page logout form:

<form id="form-log-out" name="form-log-out" method="post" action="login.php" onsubmit="return confirmLogOut()">
    <input name="log_out" type="hidden" value="1"/>
    <input type="submit" class="button_style" value="Log Out" />
</form>
Hatchet
  • 5,320
  • 1
  • 30
  • 42
Sarah
  • 1,943
  • 2
  • 24
  • 39

1 Answers1

1

As per the docs, session_regenerate_id:

Update[s] the current session id with a newly generated one

...

session_regenerate_id() will replace the current session id with a new one, and keep the current session information.

Thus, yes, this renders the old session ID obsolete.

For more information, see this question.

Community
  • 1
  • 1
Hatchet
  • 5,320
  • 1
  • 30
  • 42
  • Thanks. Would you be able to tell me how (in this case), marking the session ID obsolete adds security? i'm confused about why it is needed if the session will be destroyed straight away anyway. when you destroy a session, does it not destroy the session id also? – Sarah Mar 13 '16 at 18:50
  • 1
    @Sarah `session_destroy` actually does not reset the session id, which is why `session_regenerate_id` is still useful. See this answer: http://stackoverflow.com/a/8642254/2773837 – Hatchet Mar 13 '16 at 18:55
  • ah ok that makes sense now.. thanks.. – Sarah Mar 13 '16 at 19:01
  • One more question. do you see the way I have 'true' as a parameter of session_regenerate_id? Does this delete the previous session data also? – Sarah Mar 13 '16 at 19:15
  • @Sarah Yes. The docs say: "**`delete_old_session`** Whether to delete the old associated session file or not." – Hatchet Mar 13 '16 at 19:16