0

When I log in to a website, an active session is created on the server and my browser retains its "logged in" state by sending the identifier of that session to the server on each request.

The problem with this approach is people may be able to steal your cookies (by cookie sniffing). The question is, does logging off actually kill the cookie on the server's side or not?

I guess this depends on the server as well the server-side language. So for example, does ending a session on PHP on Apache actually make the session identifier invalid?

Merik
  • 1

2 Answers2

1

There's no single answer for every server, but yes - that's the intent of logging out.

Kara Marfia
  • 2,051
  • 1
  • 13
  • 22
  • For the specific example of PHP on Apache, is the answer positive? – Merik Nov 07 '10 at 18:34
  • Also, I'm interested to know if there's a way in PHP on Apache to "change" the session ID after successful login/logout. – Merik Nov 07 '10 at 18:34
  • I can tell you that as a general term, "logging out" is intended to end the session. Sorry I can't help you with PHP specifically. – Kara Marfia Nov 11 '10 at 13:02
1

That will depend on the server-side code, but sadly it's been my experience that rarely will developers do the "right thing" unless that happens to be the easiest thing.

chris
  • 9,287
  • 20
  • 67
  • 85