HELP!!! session variables survives after logout!!!

Posted by Alejandra on Stack Overflow See other posts from Stack Overflow or by Alejandra
Published on 2010-05-19T14:59:07Z Indexed on 2010/05/19 15:00 UTC
Read the original article Hit count: 154

Filed under:
|

Hi guys!

I have a problem, will explain how to reproduce the problem:

1- login into my page (sesion variables set as $_SESSION['logged'] = true and $_SESSION['id'] = 123

2-then inside the main menu I click logout option, code like this

function logout()
{
    session_start();
    $_SESSION['id'] = null;
    $_SESSION['logged'] = null;

    unset($_SESSION);

    session_destroy();

    require_once('Views/SessionExpiredView.php');   
}

3- In the session expired view I display a link the login page, there session is null

4- I click back on the browser and click ok to resend information

5- session becomes again $_SESSION['logged'] = true and $_SESSION['id'] = 123 and I'm loggued again and able to see all the information related to the id 123

This is a security issue and I don't know what is happening!!!

any suggestion will be deeply appreciated.

Alejandra

© Stack Overflow or respective owner

Related posts about php

Related posts about sessions