Description: ------------ towards the end of the function: when setting the $_auth reference back to null, shouldn't the $_perm reference also be set to null (see aforementioned point). also, as after a successful login in tryLogin(), i think it also be wise to call the appropriate disconnect() methods in the auth/perm containers to further clean up. during the unsetting of cookies/session vars: when logging out, the remember-me cookie seems to be killed. this includes the scenario where the user's login expired or idled out. isn't the purpose of the remember-me cookie such that after the user idles our expires, he's able to come back and have his cookie log him back in automatically? the current behavior voids this effect.

The problem with cleaning up in tryLogin is if a connection object was passed it probably means it will be used later. Disconnecting in tryLogin does not sound like a very good idea. As for the cookie, the point of it is to get rid of the authentication process when you come back. Specifically logging out means destroying the cookie as well. Take the following, I go in a cybercafe, when I log in i make the mistake of checking the rememberMe box (or it is checked by default). When I'm about to leave I click the logout button. I leave happy only to later realize the application hasn't really logged me out.

A fix is pending, soon to be committed by markus.

whats happening on this one?

The issue with $_perm not being set to null appears to be fixed already. The patch below causes LiveUser::logout() to only kill the session cookie if the user hasn't idled or expired. --- LiveUser.php 2004-04-22 07:07:06.000000000 -0700 +++ LiveUser.php 2004-04-22 09:45:08.000000000 -0700 @@ -1102,9 +1102,11 @@ call_user_func($this->_options['logout']['function'], $this); } - // If there's a cookie, kill that one too... + // If there's a cookie and the session hasn't idled or expired, kill that one too... if (isset($this->_options['cookie']) && - isset($_COOKIE[$this->_options['cookie']['name']]) + isset($_COOKIE[$this->_options['cookie']['name']]) && + ($this->status != LIVEUSER_STATUS_IDLED || + $this->status != LIVEUSER_STATUS_EXPIRED) ) { // is this what we want? $cookieKillTime = time() - 86400;

I hope to get time to test this patch soon. After a quick look it seems like we need to put an if around the $this->status setting at the beginning of logut(): if ($this->status != LIVEUSER_STATUS_IDLED || $this->status != LIVEUSER_STATUS_EXPIRED ) { $this->status = LIVEUSER_STATUS_LOGGEDOUT; }

This bug has been fixed in CVS. In case this was a documentation problem, the fix will show up at the end of next Sunday (CET) on pear.php.net. In case this was a pear.php.net website problem, the change will show up on the website in short time. Thank you for the report, and for helping us make PEAR better.