To terminate the authenticated status of a given token, use the
Zend_Gdata_AuthSub::AuthSubRevokeToken()
static function. Otherwise, the token is still valid for
some time.
<?php
// Carefully construct this value to avoid application security problems.
$php_self = htmlentities(substr($_SERVER['PHP_SELF'],
0,
strcspn($_SERVER['PHP_SELF'], "\n\r")),
ENT_QUOTES);
if (isset($_GET['logout'])) {
Zend_Gdata_AuthSub::AuthSubRevokeToken($_SESSION['cal_token']);
unset($_SESSION['cal_token']);
header('Location: ' . $php_self);
exit();
}
Security notes
The treatment of the $php_self variable in the
example above is a general security guideline, it is not
specific to Zend_Gdata. You should always filter content you
output to HTTP headers.
Regarding revoking authentication tokens, it is recommended to do this when the user is finished with her Google Data session. The possibility that someone can intercept the token and use it for malicious purposes is very small, but nevertheless it is a good practice to terminate authenticated access to any service.