jimfog Posted October 10, 2012 Share Posted October 10, 2012 On logout besides deleting the cookie on the user's browserdo you think is necessary I should also delete username/token combo in the database. Probably yes...what is the reason for keeping them, but I just wanted to hear your opinion P.S I am storing the cookie token in a separate table along with the username. Link to comment Share on other sites More sharing options...
birbal Posted October 10, 2012 Share Posted October 10, 2012 yes you should delete session cookies/data,persitant cookies, and tokens in db Link to comment Share on other sites More sharing options...
JamesB Posted October 10, 2012 Share Posted October 10, 2012 if someone logs in, then they find out they have a virus or something on their computer, they might want to logout hoping it will force the hacker to relogin with username and password.if the logout didn't remove the server side token, the hacker would then still be able to send the token to the server directly and the server would find the token in the database and think the hacker is logged in, despite the real user clicking logout. if you were limited to removing the token from either the client or the server, it would be better to remove it from the server. (but remove it from all places when possible) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now