User Logout
Overview
Section titled โOverviewโLogout is the process of terminating a userโs authenticated session and clearing their state. After logging out, the user can no longer access protected pages until they log in again.
The key steps are:
- User clicks the โLogoutโ button or link.
- Server destroys the session.
- Server clears all session data.
- User is redirected to the login page.
- The previous session cannot be reused.
Session Destruction
Section titled โSession DestructionโA proper logout must do more than just clear a variable. Four things need to happen to fully terminate a session:
- Unset all session variables to clear the
$_SESSIONarray. - Delete the session cookie from the userโs browser.
- Destroy the session file on the server.
- Regenerate the session ID to prevent session fixation.
This ensures that session data is cleared from memory, the cookie is removed from the browser, the session file is deleted from the server, and the old session ID cannot be reused.
In your application, SessionManager::destroy() handles all of this in a single call.
Logout Flow
Section titled โLogout Flowโโโโโโโโโโโโโโโโโโโโโ User clicks โโ Logout button โโโโโโโโโโโฌโโโโโโโโโ โ โผโโโโโโโโโโโโโโโโโโโโ GET /logout โโโโโโโโโโโฌโโโโโโโโโ โ โผโโโโโโโโโโโโโโโโโโโโ Destroy Sessionโโ - Unset vars โโ - Delete cookieโโ - Remove file โโโโโโโโโโโฌโโโโโโโโโ โ โผโโโโโโโโโโโโโโโโโโโโ Show success โโ flash message โโโโโโโโโโโฌโโโโโโโโโ โ โผโโโโโโโโโโโโโโโโโโโโ Redirect to โโ /login โโโโโโโโโโโโโโโโโโโโSecurity Note
Section titled โSecurity NoteโUsing a POST request for logout is recommended over GET. A GET-based logout is vulnerable to CSRF attacks where an attacker could log a user out by tricking their browser into visiting the logout URL (for example, through an image tag like <img src="/logout">). A POST request with proper CSRF protection prevents this.