Why is the xf_session cookie not removed when a user logs in?

Marcus

Well-known member
Each visitor gets a xf_session cookie. With the login you also get a xf_user cookie. When you disable the xf_session cookie after login, the xf_user cookie lets you still browsing the community as a logged in member. What are the purposes of the xf_session cookies? I found these:
  • guest personalized settings like "disable this information"
  • the login pages - I guess as well as the register pages - only work with this cookie
The xf_session cookie is always used on all pages regardeless whether the user is logged in (uses the xf_user cookie) or even logged in within the admin area (the xf_admin cookie is used here).


Why is the xf_session cookie not removed when a user logs in?


As a sidenote: The xf_user cookie lets you browse the community pages without the xf_session cookie. The xf_admin cookie only works with the xf_session cookie.
 
Last edited:
Top Bottom