-1

When i logout, PHPSESSID cookie value is changed, but cookie itself is not removed. Also debug toolbar shows "Has session - yes" after logout.

If i remove cookie manually and refresh page, it is not created and debug toolbar shows "Has session - no".

How to make logout action to not start new session?

AlexeyF
  • 39
  • 1
  • 4
  • Your previous session was destroyed and recreated again. Its alright. Don't overthink as it is expected behavior. I will suggest you to read more about cookies and how PHPSESSID works. .https://stackoverflow.com/questions/1535697/how-do-php-sessions-work-not-how-are-they-used – hanish singla Aug 28 '18 at 11:16
  • But why it is recreated? Requests with session cookie are usually not cached by reverse proxies, but i want to use caching for not authenticated users. – AlexeyF Aug 28 '18 at 12:39
  • Imagine you have a web cart you want to store the products choice of the user even if he isn't connected – Mcsky Aug 28 '18 at 12:48
  • I understand why someone wants to use session for unregistered user. But even then, session is only created when i try to access it first time (in symfony). But after logout it's expected i should have no session if i do not access it. – AlexeyF Aug 28 '18 at 13:00
  • @AlexeyF. . Session does not mean to only a user login. Session is always present as long as you have `session_start()` in your code. Even if you logged out session will be present. Only token will be missing from session. Symfony uses Anonymous token in case no user token found. I will suggest you to read about how session and cookies work. – hanish singla Aug 29 '18 at 04:57
  • @hanishsingla I understand how sessions work in general. My question is Symfony specific because framework controls when to call `session_start()` etc.. Usually Symfony starts session only if you try to read or write something to session. In my project guest user do not write or read anything from session, so question is why it exists for guest user? I do not want session cookie to exist, because it is difficult to use caching. – AlexeyF Aug 29 '18 at 08:36
  • I think its perfectly normal to have a session irrespective of user login. As session not only holds user information. It can hold other configs as well. We can always check for token in current session if we want to validate user. Other values (e.g. language or currency selected) can exist in session, independent of user login – hanish singla Aug 29 '18 at 09:47
  • I tend to agree with @AlexeyF. Initially no session exists. After login, a session needs to be created. After logout, I cannot clear out that session. Exactly the same problem with AlexeyF. I don't care if that is normal or not, the truth is, I am not in control of my session. That's a big problem. – Thomas Cheng Nov 29 '19 at 11:09

1 Answers1

2

It's possible to add list of cookies you want to delete on logout. Not sure if it is best solution, but session does not exist after logout.

Example security configuration:

security:
    firewalls:
        main:
            anonymous: ~
            logout:
                path: /logout
                target: /
                delete_cookies: ['PHPSESSID']
AlexeyF
  • 39
  • 1
  • 4
  • IMO. . This config will delete only current cookie. After you refresh the page, "PHPSESSID" cookie will appear again. – hanish singla Aug 29 '18 at 09:43
  • No, page refresh does not create new cookie. It will create new cookie only if your php code try to write or read data in session. [Related docs](https://symfony.com/doc/current/session/avoid_session_start.html) – AlexeyF Aug 29 '18 at 09:55
  • @AlexeyF Maybe that works, but did you check if the session file (the actual session storage that the cookie was referring to) actually got deleted from the file system? – Thomas Cheng Nov 29 '19 at 11:10