[thelist] some session info not destroyed on logout from site usingPEAR Auth

[Anthony Baratta]

> Once a user logs in to the site, they can either logout manually or the 
> session will timeout after 15 minutes. The problem is that if they then 
> log in with different user credentials, they still appear to be logged 
> in to the account they previously logged in with.

This is a guess, but it sounds like the login page does not over-write existing cookies or session info when the login process is activated. Instead it's accepting any existing data.

I'd walk through the login authentication and see how it's setting up the session info. You might want to add a cleaning function to just before it rebuilds the session info to ensure a fresh start.