I noticed that while logged out on my WordPress site, my browser is sending this Cookie header with every request (obfuscated for security):
Cookie: wordpress_logged_in_OBFUSCATED=flimm%7COBFUSCATED; PHPSESSID=OBFUSCATED; wordpress_logged_in_OBFUSCATED=flimm%7COBFUSCATED;wordpress_test_cookie=WP+Cookie+check
For readability, here are the cookies in separate lines:
wordpress_logged_in_OBFUSCATED=flimm%7COBFUSCATEDPHPSESSID=OBFUSCATEDwordpress_logged_in_OBFUSCATED=flimm%7COBFUSCATEDwordpress_test_cookie=WP+Cookie+check
Is this normal, that even though I am logged out, I still have a cookie set wordpress_logged_in_..., with my old username in it?
Is it normal to have more than one wordpress_logged_in_... cookie set, whether logged in or not?
1 Answer
The function wp_logout (https://github.com/WordPress/WordPress/blob/master/wp-includes/pluggable.php#L564) calls the function wp_clear_auth_cookie (https://github.com/WordPress/WordPress/blob/master/wp-includes/pluggable.php#L928) which sets the expiration dates of all involved cookies to something in the past. Also for the LOGGED_IN_COOKIE.
Hence, what you observe is strange. For sites that I maintain, the cookie will be cleared when I log out.
