[thelist] some session info not destroyed on logout from site using PEAR Auth
Sarah Adams
mrsanders at designshift.com
Tue May 16 15:15:23 CDT 2006
I'm currently helping a client to fix a problem with their site's user
authorization functionality, which uses the PEAR Auth package. I know
next to nothing about PEAR or Auth, unfortunately.
Once a user logs in to the site, they can either logout manually or the
session will timeout after 15 minutes. The problem is that if they then
log in with different user credentials, they still appear to be logged
in to the account they previously logged in with.
My guess is that something that is supposed to happen automatically when
the session times out (or when the logout function is called manually)
is not happening. I took a look at the logout function for a clue as to
what *should* be happening and saw that it was just calling
session_destroy(). Based on some reading in the PHP docs, I changed it
to this, which seems to have fixed the problem when manually logging out
anyway:
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
I was thinking that I could get the same results for the
timeout/auto-logout by adding the same snippet of code to the login form
- that way I know for sure that the user is completely logged out before
they log back in. But I'm not sure this is the best way to solve the
problem or if I'll just be dealing with a bunch of new and different
problems if I try this.
Any suggestions?
--
sarah adams
web developer & programmer
portfolio: http://sarah.designshift.com
blog: http://hardedge.ca
More information about the thelist
mailing list