tags:

views:

127

answers:

1
+2  Q: 

Simple code to expire Drupal cookie?

With a single click this simple script will do a multi-logout of:

Moodle

Elgg

2 MyBB's and

(not) Drupal.

    <?php
setcookie( 'Elgg', '', -3600, '/', '.domain.com', false, false);
setcookie( 'http_auth_ext_complete', '1', -3600, '/d/', '.domain.com', false, false);
// setcookie( 'http_auth_ext_complete', '1', -3600, '/d/', 'domain.com', false, false); 
setcookie( 'mybbuser', '', -3600, '/', '.domain.com', false, false);
setcookie( 'mybbuser', '', -3600, '/bb/', '.domain.com', false, false);

   // unset all 3 Moodle cookies, the lazy way
    if (isset($_SERVER['HTTP_COOKIE'])) {
        $cookies = explode(';', $_SERVER['HTTP_COOKIE']);
        foreach($cookies as $cookie) {
            $parts = explode('=', $cookie);
            $name = trim($parts[0]);
            setcookie($name, '', time()-1000);
            setcookie($name, '', time()-1000, '/');
        }
    }

    ?>

This works on four sites but the Drupal cookie won't quit. How can I do the same with Drupal?

Note: Drupal uses 'host' instead of 'domain', neither with or without the '.' works so far.

Thank you.

EDIT: I'm sure the cookie twice had "Host domain.com" and on another login used the more standard format "Domain .domain.com"

The cookie named "http_auth_ext_complete" is getting expired and I am still logged in. Drupal uses a second cookie with the session ID as the cookie name + there is a matching entry in the session database table, also.

+3  A: 

The name of the session cookie used by Drupal is not constant, but constructed based on an MD5 hash of the cookie domain of the specific Drupal installation - see conf_init() in 'bootstrap.inc' for details (hashing occurs on the last line of the function).

This session cookie is the one you'd need to get rid of in order to enforce a log out. If your script is supposed to work for a specific Drupal instance only, you could adjust it to use the specific session cookie name (will break if the cookie domain changes). If it is intended for a more general use, you'd need to come up with a dynamic version that mimics the way Drupal generates the name, i.e. 'SESS' . md5([cookie_domain]), with some complications in case of SSL.

Henrik Opel  2010-06-03 09:09:37
Henrik,You helped a lot since I didn't notice this... SESSba531e5bb92e887209d374287940xxxx... was the exact same cookie name on each login. Thank you very much. :)"Vote Up requires 15 reputation" (Hopefully others will come through)
This_Is_Fun  2010-06-03 09:49:45

related questions

Storing xml data in a cookie
Best way to secure an AJAX app
Is it possible to delete subdomain cookies?
What are the possible causes of a CGI::Session::CookieStore::TamperedWithCookie exception in rails
How do I access cookies within Flash?
Cookies and subdomains
Accessing Domain Cookies within an iFrame on Internet Explorer
Web Dev - Where to store state of a shopping-cart-like object?
Can JQuery read/write cookies to a browser?
Can you reliably set or delete a cookie during the server side processing of an Ajax (XHR) call?
How can I add cookies to Seaside responses without redirecting?
passing or reading .net cookie in php page
Best way for allowing subdomain session cookies using Tomcat
Why can't I delete this cookie?!
Apache Download: Make sure that page was viewed before download
Secure session cookies in ASP.NET over HTTPS
Always including the user in the django template context
How do you set up use HttpOnly cookies in PHP
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
How do HttpOnly cookies work with AJAX requests?
What is the best way to prevent session hijacking?
Associating source and search keywords with account creation
How would you implement FORM based authentication without a backing database?
How do I stop IIS7 dropping my cookies?