LOGBOOK

HELP

Quiz Entry - updated: 2026.06.25

When a user clicks Logout, what must the server do?

Immediately invalidate the session server-side — not just clear the client's cookie. Removing the cookie locally without removing the server entry leaves a usable credential that an attacker who already has it can keep using.

A common bug:

// Bad logout — only clears the client cookie
document.cookie = "sid=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;";

If the attacker already captured that cookie (XSS, MITM, malware), they still have it. The server happily accepts it on the next request because the session is still in the store.

Correct logout:

  1. Server: delete (or mark invalid) the session record in the session store (DB, Redis, etc.).
  2. Server: send Set-Cookie: sid=; Max-Age=0; HttpOnly; Secure; SameSite=Lax to clear it on the client too.
  3. (Recommended) If the user has multiple devices, offer "log out everywhere" that invalidates all of their sessions, not just this one.
  4. (Recommended) On password reset or "this wasn't me" reports, invalidate all sessions automatically.

The rule is unambiguous: "Bei einem Logout durch den Benutzer ist die Session immer sofort zu beenden und ungültig zu machen!"immediately end and invalidate.

Tip: Most frameworks make this a one-liner (Django logout(request), PHP session_destroy(), etc.). The bug usually appears in custom auth code, not framework defaults.

From Quiz: ISF / Session Handling & Login Protocols | Updated: Jun 25, 2026