---
title: Invalidate Session On Logout
impact: MEDIUM
impactDescription: ensures logout actually terminates access
tags: session, logout, invalidation, security, php
---

## Invalidate Session On Logout

If sessions or tokens are not explicitly invalidated on the server during logout, an attacker who has stolen a session cookie or token can still access the application even after the user has "logged out".

**Incorrect (client-only or partial logout):**

```php
// Server-side: Just redirecting without destroying session
header("Location: /login.php");
exit;

// Frontend-only logout (session cookie still valid on server!)
// localStorage.removeItem('token'); 
```

**Correct (server-side invalidation):**

```php
// Standard PHP Session Invalidation
session_start();

// 1. Unset all session variables
$_SESSION = [];

// 2. Delete the session cookie
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

// 3. Destroy the session on server
session_destroy();

header("Location: /login.php");
exit;

// In Laravel (Recommended)
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Session;

Auth::logout();
Session::invalidate();
Session::regenerateToken(); // To prevent CSRF fixation
```

**Important Steps:**
1. Clear all session data (`$_SESSION = []`).
2. Expire the session cookie in the user's browser.
3. Call `session_destroy()` to remove server-side storage.
4. If using JWT, add the token to a blacklist until its natural expiration.
5. Redirect the user and set `Cache-Control: no-store` to prevent the browser from showing sensitive pages via the "Back" button.

**Tools:** OWASP ZAP, Manual Session Testing, Burp Suite, SonarQube