Does logging out kill the session on the server's side

Question

When I log in to a website, an active session is created on the server and my browser retains its "logged in" state by sending the identifier of that session to the server on each request.

The problem with this approach is people may be able to steal your cookies (by cookie sniffing). The question is, does logging off actually kill the cookie on the server's side or not?

I guess this depends on the server as well the server-side language. So for example, does ending a session on PHP on Apache actually make the session identifier invalid?

score 1 · Answer 1 · answered Nov 07 '10 at 04:41

1

There's no single answer for every server, but yes - that's the intent of logging out.

answered Nov 07 '10 at 04:41

Kara Marfia

2,061

score 1 · Answer 2 · answered Dec 14 '10 at 13:14

1

That will depend on the server-side code, but sadly it's been my experience that rarely will developers do the "right thing" unless that happens to be the easiest thing.

answered Dec 14 '10 at 13:14

chris

9,595

Does logging out kill the session on the server's side

2 Answers2