Implemented Cookies set by Addon get deleted on Logout

Sadik B

Well-known member
This is not really a bug, but more of a condition arising out of code design.

XenForo_Helper_Cookie::deleteAllCookies has a skip array for it's first parameter. However the Logout controller calls XenForo_Helper_Cookie::deleteAllCookies with array('session') specified.

Now consider the situation where an addon wants to use XenForo's methods to set and get cookies. However any cookie set by an addon using XenForo's methods will be deleted when a user logs out irrespective of what the expiration is set as. This is because the deleteAllCookies is called from the XenForo_ControllerPublic_Logout class with no way to extend or add to the $skip array.

As a suggestion if $skip array was set by a method like getSkipCookies() and then passed to the deleteAllCookies method then getSkipCookies could be extended by addons allowing them to use XenForo_Helper_Cookie set and get cookie methods.


XenForo developer
Staff member
As you roughly implied, this is basically as designed: the expectation of a logout is roughly equivalent to forgetting anything about the user, so that would include the cookies. I can see where there might be exceptions to this, but I've moved this to suggestions for now (though it is a small change).

Sadik B

Well-known member
I can understand your logic on this and it makes sense.

I would however raise the point that when a user logs out we want to forget everything about the user's session and not necessarily the user. Destroying the session cookie serves that purpose. If I would go by your reasoning then there is no point to the expiration parameter for a cookie. What you are saying is that every cookie is to be deeleted on logout even if an expiration at a particular time was intentionally set.

For now, for my requirement I have simply rewritten methods to set and get cookies, but it would be better using XenForo's provided methods... :)

- Sadik


Well-known member
FWIW, there is more control over this in 1.5 Beta 2.
Hey Mike, is there a post explaining the changes done by chance? Was this change specific to add-ons or can I use it for general JS I'm trying to do(cookies staying upon logging out). If you could point in a direction if possible that would be awesome.

Chris D

XenForo developer
Staff member
If this is a style related thing then you may be out of luck. The control Mike mentions is handled in the LogOut controller.
protected function _getRetainedCookies()
    // do not include the cookie prefix
    return array('session', 'tfa_trust');
You would need to extend the above function, and add additional names (excluding the prefix) to that array. Any names added there are skipped when cookies are deleted.