Hi,
I am using Silverstripe 2.4.6 and I found a bug when calling the method destroy from Session class. In fact, this method works fine if the PHP Session is not assigned to a specific domain. However, when it occurs, the PHPSESSID is not cleaned as expected.
Analyzing the source code, I realized that, when creating the session, Silverstripe is considering the domain and path.
public static function start($sid = null) {
self::load_config();
$path = self::get_cookie_path();
$domain = self::get_cookie_domain();
$secure = self::get_cookie_secure();
if(!session_id() && !headers_sent()) {
if($domain) {
session_set_cookie_params(self::$timeout, $path, $domain, $secure /* secure */, true /* httponly */);
} else {
session_set_cookie_params(self::$timeout, $path, null, $secure /* secure */, true /* httponly */);
}
However, the same does not happen in destroy method
public static function destroy($removeCookie = true) {
if(session_id()) {
if($removeCookie) {
setcookie(session_name(), '');
unset($_COOKIE[session_name()]);
}
session_destroy();
}
The result is that, when creating the cookie, the server send this header:
Set-Cookie: PHPSESSID=an0918hnjouo8j027c4on7dju1; path=/; domain=.myDomain.com; HttpOnly
but when destroying, it is sent a part of this information
Set-Cookie: PHPSESSID=deleted; expires=Fri, 12-Nov-2010 10:42:28 GMT
My suggestion to fix this issue:
public static function destroy($removeCookie = true) {
if(session_id()) {
if($removeCookie) {
$path = self::get_cookie_path();
$domain = self::get_cookie_domain();
$secure = self::get_cookie_secure();
if($domain) {
setcookie(session_name(), '', null, $path, $domain, $secure, true);
}
else {
setcookie(session_name(), '', null, $path, null, $secure, true);
}
unset($_COOKIE[session_name()]);
}
session_destroy();
}
}
Thanks
João Santos