Session variables survives after logout

Question

Hi guys!

I have a problem, will explain how to reproduce the problem:

1- login into my page (sesion variables set as $_SESSION['logged'] = true and $_SESSION['id'] = 123

2-then inside the main menu I click logout option, code like this

function logout()
{
    session_start();
    $_SESSION['id'] = null;
    $_SESSION['logged'] = null;

    unset($_SESSION);

    session_destroy();

    require_once('Views/SessionExpiredView.php');   
}

3- In the session expired view I display a link the login page, there session is null

4- I click back on the browser and click ok to resend information

5- session becomes again $_SESSION['logged'] = true and $_SESSION['id'] = 123 and I'm loggued again and able to see all the information related to the id 123

This is a security issue and I don't know what is happening!!!

any suggestion will be deeply appreciated.

Alejandra

Answer 1

4 - you click back and click "Resend information" - that means that you have resent your previous POST information (apparently thelogin and the password) - so nothing unusual. A hint: just make a redirect after logging the user in

Answer 2

Your step 4. is the problem, you click ok to resend the information, which is effectively your login information from step 1.

You are just logging in again...