We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

phalcon session cannot be destroy from another domain

i have two domain,

first one is named "passport.my-site.com", and it has a logout action in which destroy the session.

the second is named "goods.my-site.com", when i logout from "goods.my-site.com" (i use post ajax to logout, and nginx has add_header Access-Control-Allow-Origin *;), it does execute the logout action in "passport.my-site.com", and the result from $this->session->destroy() is true, BUT after i refresh the page, it still displays login status.

HELP!



4.0k
Accepted
answer

solved.

i know the problem, when i ajax from "goods.my-site.com" to "passport.my-site.com", the request header DOES NOT carry the session key in cookie, so the server does not destroy the real session.