Build Your Own PHP Framework

Sign in Get started

This episode is for members only

Sign up to access "Build Your Own PHP Framework" right now.

Already a member? Sign in to continue

Playing

34. Logging out

Episodes

0%

Your progress

Total: 4h 45m
Played: 0m
Remaining: 4h 45m

Join or sign in to track your progress

01. Setting up

01. Introduction

02. Composer and PSR-4 Autoloading

03. Bootstrapping and structure

04. Error reporting with Ignition

02. Container

05. Using a container

06. Adding service providers

07. Autowiring with reflection

08. Refactoring to a singleton

03. Application config

09. Building the Config class

10. Reading and merging config files

11. Registering service providers through config

12. Using env files

04. Routing and controllers

13. Everything starts with requests

14. Adding routing

15. Responding in routes

16. Cleaning up responding

17. Defining routes in a separate file

18. Creating a controller

19. Using services inside controllers

05. Views

20. Installing Twig

21. Rendering a view

22. Debugging in Twig

23. Creating a base layout

24. Page titles in Twig

25. Creating a Twig config helper

06. Database

26. Setting up and querying the database

27. Working with models

28. Creating an example user profile page

07. Authentication

29. Setting up Sentinel

30. Creating the registration flow

31. Registering and authenticating a user

32. Showing authenticated state

34. Logging out

08. CSRF Protection

35. Protecting routes with CSRF

36. Adding tokens to forms

09. Flashing messages

37. Basic session flashing

38. Creating a Twig helper and flashing globally

10. Validation

39. Validating the login form

40. Manually adding validation errors

41. Validating the registration form

42. Custom validation rules

11. Middleware

43. How middleware works

44. Adding auth middleware and grouping routes

45. Persisting old form data

12. Exception handling

46. Creating an exception handler

47. Custom 404 (and other error) views

48. Rendering views for CSRF errors

13. Pagination

49. Paginating with Eloquent

50. Building a pagination view with Twig

14. Global helpers

51. Registering functions with PSR-4

52. Container resolution helper

53. View and config helpers

54. Route generator helper

Transcript

00:00

Finally, let's take a look at logging the user out. Now, this is a really important one because we are going to need to combine this as well

00:08

as our login and register and any other routes where we post through to, we'll combine this with cross-site request forgery protection, incredibly important security aspect of any site that we build. We're not going to touch on that just yet because we're going to need to build this

00:24

up a little bit later and really talk through it. But this is the reason that when we create a logout link, we're actually going to post through to a logout route. We're not going to have a get link that we can just click and log the user out.

00:40

Now, in a nutshell, the reason that we are going to post through to a route to logout is that we can then generate a token within a form and make sure that it's the actual user who's trying to authenticate or trying to log a user out. So keep that in the back burner.

00:55

We will go ahead and implement logout in this way and when we come back to cross-site request forgery protection later, we will see why we need to do this. Okay, so let's get started once again with a controller and a route and we don't need a view for this, which is handy.

01:11

So let's go and just choose any of these controllers. Go ahead and create out a logout controller. We can even put that within one of the other controllers, it's up to you. And let's go and create a logout controller.

01:24

For this, we don't need a view. So we can get rid of this from our dependency list and I'm going to switch this back over to invoke and just get rid of everything in here and we can go ahead and get rid of this method as well.

01:35

So we're nice and tidy. Okay, so in our web routes, let's go and create out a logout route with our logout controller and let's start to post through to this. Remember, this needs to be post for when we look at cross-site request forgery protection

01:52

later. Okay, so in our navigation, let's go and add in a logout link. So this will be within here. Let's add this down here and we will create a form out inside of here with an action of

02:05

logout, a method of post, and then in here we'll have a button with a type of submit and that will log the user out. Now it's not going to look great at the moment because a button is styled differently, but once you introduce styles into this, you can style it to look like a normal link.

02:24

Okay, so now that we've got that, let's have a look and yeah, we can click through onto there and go ahead and post through to the route. We get an error because we're not providing any kind of response at the moment, but we can do that in here.

02:36

To logout is incredibly simple. Once again, we just access our auth, go ahead and call logout, that will sign us out and then we can go ahead and return a new redirect response and we'll redirect the user over to the homepage.

02:50

That is all we need to do. So let's go over and try this out, hit logout and sure enough, we're logged out. We can go ahead and log in again and we will be signed in as normal. Great.

Episode summary

In this episode, we focus on implementing the logout functionality in our site. Logging out is super important—not just because users need to sign out, but also since it ties closely with some fundamental security practices, like CSRF (Cross-Site Request Forgery) protection. While we won’t deal with CSRF in detail just yet, you'll get a preview of why these two features often go hand in hand.

We start by creating a logout route and controller. Instead of providing a simple GET link that instantly logs a user out (which can be a security risk!), we'll make a POST request to the logout route. That way, we can later add a CSRF token to prevent malicious sites from tricking people into logging themselves out without their consent.

You’ll see how to add a logout form in our navigation—don’t worry if it doesn’t look perfect yet, because we can always style the button to appear more like a regular link later.

Lastly, we walk through the backend logic: just calling the logout method on the auth system, then redirecting the user to the homepage. As always, we test it out to make sure everything's working, and confirm that users can log in and out smoothly.

Episode discussion

No comments, yet. Be the first!