[thelist] some session info not destroyed on logout from site usingPEAR Auth

Anthony Baratta anthony at baratta.com
Tue May 16 15:40:49 CDT 2006

> Once a user logs in to the site, they can either logout manually or the 
> session will timeout after 15 minutes. The problem is that if they then 
> log in with different user credentials, they still appear to be logged 
> in to the account they previously logged in with.

This is a guess, but it sounds like the login page does not over-write existing cookies or session info when the login process is activated. Instead it's accepting any existing data.

I'd walk through the login authentication and see how it's setting up the session info. You might want to add a cleaning function to just before it rebuilds the session info to ensure a fresh start.

More information about the thelist mailing list