Destroying Tokens

When a user logs out, you need to destroy their token. This removes it from their device and from the database, ensuring they can't access protected pages until they log in again.

The destroy() Method

Use the destroy() method to remove tokens completely:

This method takes no parameters and performs a complete cleanup.

What destroy() Does

When you call destroy(), the framework:

1. Clears the session token
   • Unsets $_SESSION['trongatetoken']
2. Destroys the cookie token
   • Sets $_COOKIE['trongatetoken'] to expire in the past
3. Deletes tokens from the database
   • Removes the current user's tokens from trongate_tokens table
4. Cleans up expired tokens
   • Automatically purges all expired tokens from the database

Basic Logout Example

Here's a simple logout method:

That's it. Two lines of code for a complete logout.

Logout with Confirmation Message

Add a flashdata message to confirm successful logout:

Complete Logout Workflow

Here's a more complete example showing login and logout together:

What Happens If No Token Exists?

Calling destroy() when no token exists is safe. The method will:

• Not throw any errors
• Not cause any warnings
• Simply complete successfully

This means you can safely call destroy() even if you're not sure whether a user has a token.

Manual Token Cleanup

While destroy() automatically cleans up expired tokens, you might want to run manual cleanup as a maintenance task.

The delete_old_tokens() Method

Usage 1: Clean up all expired tokens

This removes all tokens where expiry_date < current_time.

Usage 2: Delete all tokens for a specific user

This removes all tokens for the specified user, regardless of expiry date.

When to Use Manual Cleanup

• Scheduled maintenance - Run via cron job to keep database clean
• User deletion - Remove all tokens when deleting a user account
• Security incidents - Force logout of specific users
• Password changes - Invalidate existing sessions when password changes

Example: Force Logout on Password Change

This ensures the user must log in again on all devices after changing their password.

Example: Delete User Account and Tokens

Scheduled Maintenance with Cron

For large applications, schedule automatic cleanup:

Set up a cron job to run daily:

This runs at 2 AM every day and purges expired tokens.

Security Considerations

• Always destroy tokens on logout - Never just redirect without calling destroy()
• Destroy tokens on password change - Force re-authentication after security changes
• Clean up on user deletion - Remove tokens when deleting user accounts
• Use HTTPS - Ensure tokens can't be intercepted during the logout process
• Run scheduled cleanup - Keep your database clean with regular maintenance

Common Patterns

Pattern 1: Simple Logout

Pattern 2: Logout with Message

Pattern 3: Force Logout All Devices

Chapter Summary

You now know how to:

• ✅ Understand the three security tables
• ✅ Generate tokens after successful login
• ✅ Validate tokens on protected pages
• ✅ Fetch user data from tokens
• ✅ Destroy tokens on logout

With these fundamentals, you can build complete authentication systems in Trongate.