SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Guru
    Join Date
    Feb 2008
    Posts
    655
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Should logging out delete ALL persistent sessions?

    Hi guys not been here for a while. The forums seem to have changed massively since I last posted!

    An application I am developing has one of those "remember me for 30 days" features.

    When a user logs out their persistent session is currently remembered. This means when they return later they are still automatically logged in. Does this idea seem right to people? Should logging out also destory your persistent session?

    The system is also designed so that a user can have multiple persistent sessions mapped to a single username. When they log out should all of the sessions on other browsers/systems be deleted too?

    Thanks for the feedback.

  2. #2
    Visible Ninja bronze trophy
    JeffWalden's Avatar
    Join Date
    Sep 2002
    Location
    Los Angeles
    Posts
    1,709
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    When you say the "user logs out" do you mean they simply close their browser or they actively click something to log out? The difference is huge, as far as I'm concerned. If the user set the 30 day feature and then just closes the browser, they should probably stay logged in. However, if the user actively attempts to log out then the 30 day rule is out the window and the session should be destroyed entirely.
    TAKE A WALK OUTSIDE YOUR MIND.

  3. #3
    SitePoint Guru
    Join Date
    Feb 2008
    Posts
    655
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by JeffWalden View Post
    When you say the "user logs out" do you mean they simply close their browser or they actively click something to log out? The difference is huge, as far as I'm concerned. If the user set the 30 day feature and then just closes the browser, they should probably stay logged in. However, if the user actively attempts to log out then the 30 day rule is out the window and the session should be destroyed entirely.
    Sorry for the lack of clarity. I mean when the user clicks the "log out" link.

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,788
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    If the user clicks the logout link then they should be logged out.

    If they ticked "Remember Me" then their username should be filled in automatically on the login screen the next time they visit.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,023
    Mentioned
    62 Post(s)
    Tagged
    0 Thread(s)
    Yes, if they are logging out, they are logging out. Setting a cookie is for when they close the browser (or just the page tab). As part of the logout you should clear the cookie.

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,788
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Michael Morris View Post
    Yes, if they are logging out, they are logging out. Setting a cookie is for when they close the browser (or just the page tab). As part of the logout you should clear the cookie.
    The cookie that identifies them as logged in should be cleared. The cookie that remembers their username so they don't need to type it the next time they log in should be kept.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  7. #7
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,023
    Mentioned
    62 Post(s)
    Tagged
    0 Thread(s)
    The browser can do that without the cookie.

  8. #8
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,788
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Michael Morris View Post
    The browser can do that without the cookie.
    Not necessarily. It depends on the browser and the browser settings. If all browsers did that automatically there'd be no need for any login forms to include a "remember me" checkbox.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  9. #9
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    The cookie that remembers their username so they don't need to type it the next time they log in should be kept.
    *Should* is only your opinion here. There may be privacy concerns - for example, after I log out I may not want other people to know that I was visiting the site. Especially when the email address is used as login. And really important on banking sites, etc. Also, as Morris said, every modern browser remembers input form data, so no need to replicate that with a cookie. I am the one who doesn't like seeing my username filled in automatically after I log out of the site.

    Quote Originally Posted by felgall
    Not necessarily. It depends on the browser and the browser settings.
    And that is a good thing and let it stay that way - I can control this behaviour in my browser settings and I don't want web sites to impose on me filling in my username automatically.

    If all browsers did that automatically there'd be no need for any login forms to include a "remember me" checkbox.
    There is a difference between a browser remembering my credentials and "remember me" function. When I rely on my browser then I get logged out each time I end my session and when I come back I need to log in again through a login form so each time I come back I get to choose whether I want to log in (in a single click since my browser fills in my credentials) or browse the site as a guest. When I check "remember me" then each time I come back I am already logged in, no need to go through the login form again.

  10. #10
    SitePoint Guru bronze trophy
    Join Date
    Dec 2003
    Location
    Poland
    Posts
    930
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by corbyboy View Post
    The system is also designed so that a user can have multiple persistent sessions mapped to a single username. When they log out should all of the sessions on other browsers/systems be deleted too?
    I don't think so. I may visit a site regularly from my home computer which uses a persistent session because I trust that no one will take advantage of that. However, I may occasionally log in to the same site on someone else's computer and then log out and I wouldn't want my home session to end.

    Two things to concider:
    - when a user changes password then all his persistent sessions are deleted except the current one
    - optionally, you could enable users to delete all their persistent sessions if they wish, for example in the user control panel


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •