Is there another way to save session info?

Hi

I was testing a local web site and want to delete cookies to test logout but after I deleted cookies / storage and refresh I find my self still logged in. How this is possible ?

Thanks

1 Like

You would need to post all the code that’s necessary to reproduce the problem in order to get help.

You should determine the logged in state based on a value maintained on the server, not by the existence of a cookie, because someone/hacker/bot can capture a cookie value and submit it to impersonate the actual user. The cookie value (session id, unique token) should only identify who the user is, not their logged in/out state.

Dont have the code. But in incognito mode I am no longer logged in

If you were looking at $_SESSION for your login information, it would still exist after you deleted cookies.

Even after deleting cookies, you might still be logged in if the session is stored on the server-side or in other types of storage like session storage, local storage, or cache. Make sure to clear all storage types and cache. Sometimes, a simple browser refresh isn’t enough, and you may need to close and reopen the browser completely.:blush:

if you delete the cookie in the browser, the web server must check if the cookie exist and redirect to login page if the session cookie is not valid or missing.

Otherwise you are still “logged in” as the server does not know the session cookie status. For each request from the browser client, the web server must check if the session cookie is valid.

AFIK only cookies can be read by the server as they are sent in the request header at every request. Note that web server cannot read either sessionStorage or localStorage directly in the same simple way as a cookie.

OP hasn’t been back to the forum since June 26th, so presumably they’ve solved the problem by now.