Merge pull request #1994 from mateusz/logout-cleanup

BUG Clean up the logOut and session destructon routines.

control/Session.php

@@ -528,10 +528,10 @@ class Session {
 	public static function destroy($removeCookie = true) {
 		if(session_id()) {
 			if($removeCookie) {
-				$path = Config::inst()->get('cookie_path');
+				$path = Config::inst()->get('Session', 'cookie_path');
 				if(!$path) $path = Director::baseURL();
-				$domain = Config::inst()->get('cookie_domain');
+				$domain = Config::inst()->get('Session', 'cookie_domain');
-				$secure = Config::inst()->get('cookie_secure'); 
+				$secure = Config::inst()->get('Session', 'cookie_secure');
 				
 				if($domain) {
 					setcookie(session_name(), '', null, $path, $domain, $secure, true);
@@ -542,7 +542,12 @@ class Session {
 				
 				unset($_COOKIE[session_name()]);
 			}
+
 			session_destroy();
+
+			// Clean up the superglobal - session_destroy does not do it.
+			// http://nz1.php.net/manual/en/function.session-destroy.php
+			unset($_SESSION);
 		}
 	}
 	

security/Member.php

@@ -447,7 +447,8 @@ class Member extends DataObject implements TemplateGlobalProvider {
 	public function logOut() {
 		Session::clear("loggedInAs");
 		if(Member::config()->login_marker_cookie) Cookie::set(Member::config()->login_marker_cookie, null, 0);
-		self::session_regenerate_id();
+
+		Session::destroy();
 
 		$this->extend('memberLoggedOut');