PHP Sessions - Best practices for logout

Question

I'm working on a PHP Application that uses the session_destroy() method to log a user out of the system, because it is considered good practice to destroy all session information on logout.

However, I'd like to store some information like "Last login date, Last Username" etc indefinitely (until the browser's cache/cookies are flushed). This information will be used to build subtle personalisation features for the user/people using the same browser.

I cannot store this data on the server because this information needs to be identified with the Browser , not a User of the system, and I have no data that uniquely identifies a browser reliably.

What is the best/recommended way of going about this? I'm currently thinking multiple sessions, and using one of them to store this kind of information, and not destroying it.

Any good advice would be appreciated. Security is a concern for this application. Thanks in advance!

Edit: Bottom line: Is not destroying a session completely opening up security risks like session hijacking?

Answer 1

It is better (and you have to ) to store the last_login and last_login_ip in the users table in the database than in the client side. What if the browser is crashed, or if the user logs in using another browser / computer.

The session_destroy() is the right one. Or if you wanna do more, you can reset the session, which is not recommended and call session_destroy() like this:

$_SESSION = array();
session_destroy();

But I would recommend clearing only the particular session information that you have set using the application. Say, for example:

unset($_SESSION["user"]);

---

because remember, the data I'm storing here would be used after the user has been logged out, which means I have no way of identifying the user

You are storing the data on the database, which means, there's no way, you can mistake. The comment is crazy. Let me give an example for what you said first. Consider the last_login and last_login_ip , and you do this:

Query_The_Server("UPDATE `users` SET `last_login`=NOW(), `last_login_ip`='{$_SERVER["REMOTE_ADDR"]}' WHERE `user_id`={$_SESSION["user"]["user_id"]}");

Now tell me, how can the above thing fail?

---

Example: in the login page, I want to say "Last logged in user on this machine was: John".

This calls for a privacy issue. Say, for eg., I log into the app, and logout, and my friend logs in or some other person, who's waiting to hit on me, logs in. He finds that I have logged in previously and this might be a privacy issue. Think about it.

But still, if this is what you wanna do, then yes, do not use session_destroy() , instead use unset($_SESSION["user"]); or whatever you stored to identify the user and don't touch the last_user .

Another idea would be:

$_SESSION["last_user"] = $_SESSION["user"]
unset($_SESSION["user"]);                         // Technically logging out.
unset($_SESSION["last_user"]["private_stuff"]);   // Make sure you clear the private stuff.

Answer 2

You would need to store the data into some form of permanent storage, as session data is only stored until the user closes their browser.

Then get that data from the medium and display it until another user logs in.

Then run:

session_destroy();