Implemented Cookies set by Addon get deleted on Logout

Sadik B

Sadik B

Well-known member
This is not really a bug, but more of a condition arising out of code design.

XenForo_Helper_Cookie::deleteAllCookies has a skip array for it's first parameter. However the Logout controller calls XenForo_Helper_Cookie::deleteAllCookies with array('session') specified.

Now consider the situation where an addon wants to use XenForo's methods to set and get cookies. However any cookie set by an addon using XenForo's methods will be deleted when a user logs out irrespective of what the expiration is set as. This is because the deleteAllCookies is called from the XenForo_ControllerPublic_Logout class with no way to extend or add to the $skip array.

As a suggestion if $skip array was set by a method like getSkipCookies() and then passed to the deleteAllCookies method then getSkipCookies could be extended by addons allowing them to use XenForo_Helper_Cookie set and get cookie methods.
 
Upvote 0
This suggestion has been implemented. Votes are no longer accepted.
As you roughly implied, this is basically as designed: the expectation of a logout is roughly equivalent to forgetting anything about the user, so that would include the cookies. I can see where there might be exceptions to this, but I've moved this to suggestions for now (though it is a small change).
 
I can understand your logic on this and it makes sense.

I would however raise the point that when a user logs out we want to forget everything about the user's session and not necessarily the user. Destroying the session cookie serves that purpose. If I would go by your reasoning then there is no point to the expiration parameter for a cookie. What you are saying is that every cookie is to be deeleted on logout even if an expiration at a particular time was intentionally set.

For now, for my requirement I have simply rewritten methods to set and get cookies, but it would be better using XenForo's provided methods... :)

Best,
- Sadik
 
Mike said:
FWIW, there is more control over this in 1.5 Beta 2.
Click to expand...

Hey Mike, is there a post explaining the changes done by chance? Was this change specific to add-ons or can I use it for general JS I'm trying to do(cookies staying upon logging out). If you could point in a direction if possible that would be awesome.
 
If this is a style related thing then you may be out of luck. The control Mike mentions is handled in the LogOut controller.
PHP: 
protected function _getRetainedCookies()
{
    // do not include the cookie prefix
    return array('session', 'tfa_trust');
}
You would need to extend the above function, and add additional names (excluding the prefix) to that array. Any names added there are skipped when cookies are deleted.
 

Similar threads

Saphira
  • Question Question
Cookies...
Replies
2
Views
421
Saphira
Saphira
⭐ Alex ⭐
  • Solved
XF 2.2 Is There Still a Reason to Not Use SameSite Strict or Lax for Cookies?
Replies
8
Views
457
⭐ Alex ⭐
⭐ Alex ⭐
⭐ Alex ⭐
Why exactly do we need a cookie notice for third party cookies?
Replies
1
Views
530
⭐ Alex ⭐
⭐ Alex ⭐
mattrogowski
Confusing app_api_validate_request event behaviour
Replies
0
Views
331
mattrogowski
mattrogowski
Orit
XF 2.2 Problem with POST method in new API endpoint
Replies
4
Views
576
Orit
Orit
Top Bottom