Session variables survive after logout_问答_开发者

开发者 https://www.devze.com 2022-12-30 17:01 出处：网络

I will explain how to reproduce my problem: Log into my page: session variables are set as $_SESSION[\'logged\'] = true and $_SESSION[\'id\'] = 123.

相关专题：php session

I will explain how to reproduce my problem:

Log into my page: session variables are set as $_SESSION['logged'] = true and $_SESSION['id'] = 123.

Inside the main menu, click the log out option. The code is like this:

function logout()
{
    session_start();
    $_SESSION['id'] = null;
    $_SESSION['logged'] = null;

    unset($_SESSION);

    session_destroy();

    require_once('Views/SessionExpiredView.php');
}

In the session expired view I display a link to the login page; there, the session is null.
I click back on the browser, and click OK to resend information.
The session becomes again $_SESSION['logged'] = true and $_SESSION['id'] = 123 and I am logged in again and able to see all the information related to the ID 123.

This is a security issue and I don't know wh开发者_开发问答at is happening.

Step 4: You click back and click “Resend information” — that means that you have resent your previous POST information (apparently the login and the password) — so nothing unusual.

A hint: just make a redirect after logging the user in.

Your step 4. is the problem, you click ok to resend the information, which is effectively your login information from step 1.

You are just logging in again...