Application Security: Logout

30 May 2011 in PHP, Security

The counterpart to login is logout. The best practice for implementing logout is to use an IWActionModule. While a complete action module has initialization, validation, and execution, a logout action requires only that the ApplicationSecurityDelegate can perform session handling.

Listing: rsrc/action/DoLogout.php

class DoLogout extends IWActionModule
{
   function run()
   {
      $asd = ApplicationSecurityDelegate::sharedApplicationSecurityDelegate();
      $asd->clearSession();
   }

   function actionDestination()
   {
      return new IWURL(APPL_ROOT_DIR . 'login');
   }
}

Session clearing can also be handled directly in the DoLogout action module, but I prefer to keep all the session handling with the ApplicationSecurityDelegate.

Partial Listing: rsrc/ApplicationSecurityDelegate.php

class ApplicationSecurityDelegate
{
   ...

   function clearSession()
   {
      unset($_SESSION['USER']);
   }
}

Workbench

Application Security: Logout

Listing: rsrc/action/DoLogout.php

Partial Listing: rsrc/ApplicationSecurityDelegate.php

Categories