This episode is for members only

Sign up to access "Build Your Own PHP Framework" right now.

Get started
Already a member? Sign in to continue
Playing
34. Logging out

Episodes

0%
Your progress
  • Total: 4h 45m
  • Played: 0m
  • Remaining: 4h 45m
Join or sign in to track your progress

Transcript

00:00
Finally, let's take a look at logging the user out. Now, this is a really important one because we are going to need to combine this as well
00:08
as our login and register and any other routes where we post through to, we'll combine this with cross-site request forgery protection, incredibly important security aspect of any site that we build. We're not going to touch on that just yet because we're going to need to build this
00:24
up a little bit later and really talk through it. But this is the reason that when we create a logout link, we're actually going to post through to a logout route. We're not going to have a get link that we can just click and log the user out.
00:40
Now, in a nutshell, the reason that we are going to post through to a route to logout is that we can then generate a token within a form and make sure that it's the actual user who's trying to authenticate or trying to log a user out. So keep that in the back burner.
00:55
We will go ahead and implement logout in this way and when we come back to cross-site request forgery protection later, we will see why we need to do this. Okay, so let's get started once again with a controller and a route and we don't need a view for this, which is handy.
01:11
So let's go and just choose any of these controllers. Go ahead and create out a logout controller. We can even put that within one of the other controllers, it's up to you. And let's go and create a logout controller.
01:24
For this, we don't need a view. So we can get rid of this from our dependency list and I'm going to switch this back over to invoke and just get rid of everything in here and we can go ahead and get rid of this method as well.
01:35
So we're nice and tidy. Okay, so in our web routes, let's go and create out a logout route with our logout controller and let's start to post through to this. Remember, this needs to be post for when we look at cross-site request forgery protection
01:52
later. Okay, so in our navigation, let's go and add in a logout link. So this will be within here. Let's add this down here and we will create a form out inside of here with an action of
02:05
logout, a method of post, and then in here we'll have a button with a type of submit and that will log the user out. Now it's not going to look great at the moment because a button is styled differently, but once you introduce styles into this, you can style it to look like a normal link.
02:24
Okay, so now that we've got that, let's have a look and yeah, we can click through onto there and go ahead and post through to the route. We get an error because we're not providing any kind of response at the moment, but we can do that in here.
02:36
To logout is incredibly simple. Once again, we just access our auth, go ahead and call logout, that will sign us out and then we can go ahead and return a new redirect response and we'll redirect the user over to the homepage.
02:50
That is all we need to do. So let's go over and try this out, hit logout and sure enough, we're logged out. We can go ahead and log in again and we will be signed in as normal. Great.

Episode summary

In this episode, we focus on implementing the logout functionality in our site. Logging out is super important—not just because users need to sign out, but also since it ties closely with some fundamental security practices, like CSRF (Cross-Site Request Forgery) protection. While we won’t deal with CSRF in detail just yet, you'll get a preview of why these two features often go hand in hand.

We start by creating a logout route and controller. Instead of providing a simple GET link that instantly logs a user out (which can be a security risk!), we'll make a POST request to the logout route. That way, we can later add a CSRF token to prevent malicious sites from tricking people into logging themselves out without their consent.

You’ll see how to add a logout form in our navigation—don’t worry if it doesn’t look perfect yet, because we can always style the button to appear more like a regular link later.

Lastly, we walk through the backend logic: just calling the logout method on the auth system, then redirecting the user to the homepage. As always, we test it out to make sure everything's working, and confirm that users can log in and out smoothly.

Episode discussion

No comments, yet. Be the first!