CODEWITHSUNDEEP
phpsession
Alejandra
Alejandra

Reputation: 726

Session variables survive after logout

I will explain how to reproduce my problem:

  1. Log into my page: session variables are set as $_SESSION['logged'] = true and $_SESSION['id'] = 123.

  2. Inside the main menu, click the log out option. The code is like this:

    function logout()
{
    session_start();
    $_SESSION['id'] = null;
    $_SESSION['logged'] = null;

    unset($_SESSION);

    session_destroy();

    require_once('Views/SessionExpiredView.php');
}

  3. In the session expired view I display a link to the login page; there, the session is null.

  4. I click back on the browser, and click OK to resend information.

  5. The session becomes again $_SESSION['logged'] = true and $_SESSION['id'] = 123 and I am logged in again and able to see all the information related to the ID 123.

This is a security issue and I don't know what is happening.

Upvotes: 3

Views: 817

Answers (2)

user345201
user345201

Reputation: 86

Step 4: You click back and click “Resend information” — that means that you have resent your previous POST information (apparently the login and the password) — so nothing unusual.

A hint: just make a redirect after logging the user in.

Upvotes: 3

jeroen
jeroen

Reputation: 91734

Your step 4. is the problem, you click ok to resend the information, which is effectively your login information from step 1.

You are just logging in again...

Upvotes: 0

Related Questions