From dfbaf621de80c4715ce020e6c85a240166f0e418 Mon Sep 17 00:00:00 2001
From: Iain Kay <i.kay@me.com>
Date: Thu, 11 Jul 2013 19:41:50 +0000
Subject: [PATCH] When destroying a users session on the server we now also
 remove all session data immediately, rather than relying on garbage
 collection, and we destroy the cookie on the users browser.

---
 public/include/classes/user.class.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php
index 68616e3e..86250001 100644
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@@ -387,7 +387,16 @@ class User {
    **/
   public function logoutUser($redirect="index.php") {
     $this->debug->append("STA " . __METHOD__, 4);
+    // Unset all of the session variables
+    $_SESSION = array();
+    // As we're killing the sesison, also kill the cookie!
+    if (ini_get("session.use_cookies")) {
+        $params = session_get_cookie_params();
+        setcookie(session_name(), '', time() - 42000, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);
+    }
+    // Destroy the session.
     session_destroy();
+    // Enforce generation of a new Session ID and delete the old
     session_regenerate_id(true);
     // Enforce a page reload
     header("Location: $redirect");