properly invalidate session ids on logout

RSSTootalizer/User.pm

@@ -19,6 +19,7 @@ sub authenticate {
 	return 0 unless defined($session_id);
 	my $user = $class->get_by("session_id", $session_id);
 	return 0 unless $user;
+	return 0 if $user->{data}->{session_id} eq "invalid";
 
 	my $instance = $user->{data}->{instance};
 	my $token = $user->{data}->{access_token};

RSSTootalizer/Website/Logout.pm

@@ -17,11 +17,17 @@ sub fill_content {
 
 sub prerender {
 	my $self = shift;
-	$self->{"template"} = "Login";
+	$self->{"template"} = "Logout";
 	$self->{"content_type"} = "html";
-	$self->{"params"}->{"currentmode"} = "Login";
+	$self->{"params"}->{"currentmode"} = "Logout";
 
 	$self->{"set_cookie"} = ("session_id=");
+	my $user = RSSTootalizer::User->authenticate();
+	if ($user){
+		# RSSTootalizer::DB->doUPDATE("UPDATE users SET session_id = 'invalid' WHERE ID = ?", $user->{data}->{ID});
+		$user->{data}->{session_id} = "invalid";
+		$user->save();
+	}
 }
 
 1;

static/templates/Logout.html

@@ -0,0 +1,7 @@
+<TMPL_INCLUDE NAME='_header.html'>
+<div class="container">
+
+You have been successfully logged out. You can <a href="index.pl?mode=Login">Login again</a> if you like.
+
+</div> <!-- /container -->
+<TMPL_INCLUDE NAME='_footer.html'>