Zend_Auth clearidentity and Zend_Session::destroy causing confusion

Question

I have the following logout action:

public function logoutAction() {
            Zend_Auth::getInstance()->clearIdentity();
            Zend_Session::destroy();

            $this->_helper->flashMessenger->addMessage(array('success' =>
                _('You were successfully logged out.')));
            $this->_redirect('/index/index');
        }

If I don't comment out the line: Zend_Session::destroy() I get an error:

Fatal error: Uncaught exception 'Zend_Session_Exception' with message 'The session was explicitly destroyed during this request, attempting to re-start is not allowed.' in /usr/local/share/php/library/Zend/Controller/Plugin/Broker.php on line 336 Zend_Session_Exception: The session was explicitly destroyed during this request, attempting to re-start is not allowed.

I have read about this issue here and here but remain unclear on how I should proceed. Should I just not use Zend_Session::destroy()? What would be the implications and dangers of not using it, and what is the alternative?

score 2 · Accepted Answer · answered Feb 28 '12 at 11:16

What causes you problems is, that right after destroying the session, you are reusing it (by facilitating the FlashMessenger. If not destroying the session after logout bothers you, you could display a logout page instead of redirecting to your frontpage with a flash message.

Leaving some of your session data intact after your user logged out, might have security implications, but that depends on what you store in your session and where and how you use the data. In order to make sure, that you don't keep data, that belonged to the logged in user in your session, just use a specific session namespace for this data and call unsetNamespace() upon logout.

Thanks, I can live without calling the flash messenger. – dimbo Feb 28 '12 at 12:25 — dimbo, Feb 28 '12 at 12:25

score 1 · Answer 2 · answered Feb 28 '12 at 10:11

Zend_Auth have its own session namespace and after Zend_Auth::getInstance()->clearIdentity(); it removes it so there is no need to destroy all session nemaspaces if you use them.

Example what here happens:

// logging user
$_SESSION['Zend_Auth'] = 'logged user data';
// after Zend_Auth::getInstance()->clearIdentity();
$_SESSION['Zend_Auth'] = null;
// after Zend_Session::destroy();
session_destroy();

Zend_Auth clearidentity and Zend_Session::destroy causing confusion

2 Answers2