Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

› WebAssist Forums › Data Bridge › SecurityAssist › Clear browser session cookies on logout

Clear browser session cookies on logout

Thread began 4/11/2022 6:45 am by Mags | Last modified 4/13/2022 1:31 pm by Ray Borduin | 467 views | 10 replies |

4/11/2022 6:45 am | #1 Mags

Clear browser session cookies on logout

Hi Ray, another issue picked up in my client's recent pen test was that "Session cookie was not changed when signing in and out of the application." At the moment it looks like the session cookie is only cleared when you close the browser, but it should clear when the user logs out. I've attached a copy of the login page, can you advise how I would change this?

Another thing they mention is "Session cookie was not validated against the web server database to confirm it was valid" - any idea how I could do this?

4/11/2022 1:25 pm | #2 Ray BorduinWebAssist

Can I get a copy of the logout page? That is the page that I think needs to be updated.

Did this help? Tips are appreciated...

4/11/2022 2:09 pm | #3 Mags

Yes, have attached it here.

4/11/2022 2:30 pm | #4 Ray BorduinWebAssist

Try adding this after line2 on the logout page:

session_destroy();

I think that will clear the session cookie.

Did this help? Tips are appreciated...

4/11/2022 3:05 pm | #5 Mags

Didn't make any difference unfortunately - the PHPSESSID is still saved in the browser after logging out.

4/11/2022 3:34 pm | #6 Ray BorduinWebAssist

Maybe try:

@session_start();
session_regenerate_id(true);
session_destroy();
session_commit();
session_start();

If that doesn't work, then you could try also adding:

if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

Did this help? Tips are appreciated...

4/12/2022 5:15 am | #7 Mags

I added all the lines and it still doesn't clear the PHPSESSID info. I wonder if this is related to the other issue covered in my other posthttps://www.webassist.com/forums/posts.php?pid=234428 ?

4/12/2022 11:52 am | #8 Ray BorduinWebAssist

No it isn't related. I'm not even sure why this is an issue that would need to be addressed.

The phpsessid doesn't change? Does it get set to a new value?

Did this help? Tips are appreciated...

4/12/2022 12:41 pm | #9 Mags

I've added details in the PM of what the pen test report says in relation to session management. The PHPSESSID doesn't change when I logout - have attached two screenshots of what Chrome lists when logged in, and when logged out - both are identical I think.

4/12/2022 4:39 pm | #10 Ray BorduinWebAssist

For some of the issues you would have to update your php.ini file and add:

php_value session.cookie_httponly 1
php_value session.cookie_secure 1

That should take care of the secure flag and http only flag.

I updated your logout.php page so it clears the old cookie. It wasn't working because it was redirecting and the cookie update happens in the header of the browser. I removed the redirect so the logout page displays and that allows the page to clear the cookie.

Did this help? Tips are appreciated...

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now. Build a store, a gallery, or a web-based email solution.