[thelist] some session info not destroyed on logout from site using PEAR Auth

[Sarah Adams]

I'm currently helping a client to fix a problem with their site's user 
authorization functionality, which uses the PEAR Auth package. I know 
next to nothing about PEAR or Auth, unfortunately.

Once a user logs in to the site, they can either logout manually or the 
session will timeout after 15 minutes. The problem is that if they then 
log in with different user credentials, they still appear to be logged 
in to the account they previously logged in with.

My guess is that something that is supposed to happen automatically when 
the session times out (or when the logout function is called manually) 
is not happening. I took a look at the logout function for a clue as to 
what *should* be happening and saw that it was just calling 
session_destroy(). Based on some reading in the PHP docs, I changed it 
to this, which seems to have fixed the problem when manually logging out 
anyway:
   if (isset($_COOKIE[session_name()])) {
     setcookie(session_name(), '', time()-42000, '/');
   }
   session_destroy();

I was thinking that I could get the same results for the 
timeout/auto-logout by adding the same snippet of code to the login form 
- that way I know for sure that the user is completely logged out before 
they log back in. But I'm not sure this is the best way to solve the 
problem or if I'll just be dealing with a bunch of new and different 
problems if I try this.

Any suggestions?

-- 
sarah adams
web developer & programmer
portfolio: http://sarah.designshift.com
blog: http://hardedge.ca