开发者

Session variables survive after logout

I will explain how to reproduce my problem:

  1. Log into my page: session variables are set as $_SESSION['logged'] = true and $_SESSION['id'] = 123.

  2. Inside the main menu, click the log out option. The code is like this:

    function logout()
    {
        session_start();
        $_SESSION['id'] = null;
        $_SESSION['logged'] = null;
    
        unset($_SESSION);
    
        session_destroy();
    
        require_once('Views/SessionExpiredView.php');
    }
    
  3. In the session expired view I display a link to the login page; there, the session is null.

  4. I click back on the browser, and click OK to resend information.

  5. The session becomes again $_SESSION['logged'] = true and $_SESSION['id'] = 123 and I am logged in again and able to see all the information related to the ID 123.

This is a security issue and I don't know wh开发者_开发问答at is happening.


Step 4: You click back and click “Resend information” — that means that you have resent your previous POST information (apparently the login and the password) — so nothing unusual.

A hint: just make a redirect after logging the user in.


Your step 4. is the problem, you click ok to resend the information, which is effectively your login information from step 1.

You are just logging in again...

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜