tags:

views:

83

answers:

2

Hi guys!

I have a problem, will explain how to reproduce the problem:

1- login into my page (sesion variables set as $_SESSION['logged'] = true and $_SESSION['id'] = 123

2-then inside the main menu I click logout option, code like this

function logout()
{
    session_start();
    $_SESSION['id'] = null;
    $_SESSION['logged'] = null;

    unset($_SESSION);

    session_destroy();

    require_once('Views/SessionExpiredView.php');   
}

3- In the session expired view I display a link the login page, there session is null

4- I click back on the browser and click ok to resend information

5- session becomes again $_SESSION['logged'] = true and $_SESSION['id'] = 123 and I'm loggued again and able to see all the information related to the id 123

This is a security issue and I don't know what is happening!!!

any suggestion will be deeply appreciated.

Alejandra

+3  A: 

4 - you click back and click "Resend information" - that means that you have resent your previous POST information (apparently thelogin and the password) - so nothing unusual. A hint: just make a redirect after logging the user in

Yes as you said is normal behavior, I was stressed for no reason jeje, thanks a lot for your answer and your time :)regards from Guadalajara Mexico :)
Alejandra
A: 

Your step 4. is the problem, you click ok to resend the information, which is effectively your login information from step 1.

You are just logging in again...

jeroen
yes you are right, thanks a lot for your answer :)
Alejandra