Nuke sessions from the database when users logout

Summary: @tomo ran into an issue where he had some non-SSL-only cookie or whatever, so "Logout" had no apparent effect. Make sure "Logout" really works by destroying the session. I originally kept the sessions around to be able to debug session stuff, but we have a fairly good session log now and no reprorted session bugs except for all the cookie stuff. It's also slightly more secure to actually destroy sessions, since it means "logout" breaks any cookies that attackers somehow stole (e.g., by reading your requests off a public wifi network). Test Plan: Commented out the cookie clear and logged out. I was logged out and given a useful error message about clearing my cookies. Reviewers: jungejason, nh, tuomaspelkonen, aran Reviewed By: aran CC: tomo, aran, epriestley Differential Revision: 911
2024-11-19 05:12:41 +01:00 · 2011-09-08 14:16:59 -07:00 · 2011-09-08 14:16:59 -07:00 · 87309734cc
commit 87309734cc
parent 206546a6e3
2 changed files with 18 additions and 0 deletions
--- a/src/applications/auth/controller/logout/PhabricatorLogoutController.php
+++ b/src/applications/auth/controller/logout/PhabricatorLogoutController.php
@ -39,7 +39,15 @@ class PhabricatorLogoutController extends PhabricatorAuthController {
        PhabricatorUserLog::ACTION_LOGOUT);
      $log->save();

+      // Destroy the user's session in the database so logout works even if
+      // their cookies have some issues. We'll detect cookie issues when they
+      // try to login again and tell them to clear any junk.
+      $phsid = $request->getCookie('phsid');
+      if ($phsid) {
+        $user->destroySession($phsid);
+      }
      $request->clearCookie('phsid');
+
      return id(new AphrontRedirectResponse())
        ->setURI('/login/');
    }
--- a/src/applications/people/storage/user/PhabricatorUser.php
+++ b/src/applications/people/storage/user/PhabricatorUser.php
@ -284,6 +284,16 @@ class PhabricatorUser extends PhabricatorUserDAO {
    return $session_key;
  }

+  public function destroySession($session_key) {
+    $conn_w = $this->establishConnection('w');
+    queryfx(
+      $conn_w,
+      'DELETE FROM %T WHERE userPHID = %s AND sessionKey = %s',
+      self::SESSION_TABLE,
+      $this->getPHID(),
+      $session_key);
+  }
+
  private function generateEmailToken($offset = 0) {
    return $this->generateToken(
      time() + ($offset * self::EMAIL_CYCLE_FREQUENCY),