Big security problem

Anon

On my website, I use sessions and cookies to keep user accounts logged in. It works fine until this happens:

If a user is signed on, and signs off... and then goes into the website and clicks on a link that opens a new smaller window, when the user returns to the main window and clicks through to any other page, he is now logged back in. It happens to both my shoutbox and open forum windows. I cant figure out why it wont destroy the session, I have session_destroy, session_unset, and even session_close_write() on my log out script.

go to www.cafe-house.com, and try this: sign in with this dummy account:
user: testuser101 pass : testuser101, then log off, go to the bottom of the page and expand the shoutbox, even if you close the shoutbox, upon clicking anywhere on the site you'll be logged back in!!

here's my log out script:

setcookie ("saveduser", "", time()-3600);
setcookie ("savedpass", "", time()-3600);
session_unregister("user");
session_unregister("pass");
session_destroy();
unset($use);
unset($pass);
session_write_close();

Anon

shouldnt "unset($use);" be "unset($user);"?

That could be your problem...

Anon

no actually, I just modified the names to post them up here, the variable is actually correct.

zalath

For me, a simple
session_unset();
session_destroy();
seems to work fine.

-L-