PhpRiot
Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...


When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store

Revoking AuthSub authentication

To terminate the authenticated status of a given token, use the Zend_Gdata_AuthSub::AuthSubRevokeToken() static function. Otherwise, the token is still valid for some time.

<?php
// Carefully construct this value to avoid application security problems.
$php_self htmlentities(substr($_SERVER['PHP_SELF'],
                         
0,
                         
strcspn($_SERVER['PHP_SELF'], "\n\r")),
                         
ENT_QUOTES);

if (isset(
$_GET['logout'])) {
    
Zend_Gdata_AuthSub::AuthSubRevokeToken($_SESSION['cal_token']);
    unset(
$_SESSION['cal_token']);
    
header('Location: ' $php_self);
    exit();
}

Security notes

The treatment of the $php_self variable in the example above is a general security guideline, it is not specific to Zend_Gdata. You should always filter content you output to HTTP headers.

Regarding revoking authentication tokens, it is recommended to do this when the user is finished with her Google Data session. The possibility that someone can intercept the token and use it for malicious purposes is very small, but nevertheless it is a good practice to terminate authenticated access to any service.

Zend Framework