/    Sign up×
Community /Pin to ProfileBookmark

Session ID reused after logging out – security issue?

Copy linkTweet thisAlerts:
Jan 03.2005

Hey all!

I’m using sessions on a new site of mine and I’ve noticed a possible issue while studying my database.

If a user logs in and logs out, and then someone logs in from the same IP address later on, the second login seems to get the same session ID as the first login. This seems like a security risk – it seems like the session ID is easily guessable.

Am I making some kind of mistake (do I need to use session_destroy on logout?) or is this expected behaviour? If this is normal, then is it a security risk? If it is a risk, is there a way for me to set the session id manually?

Thanks!

to post a comment
PHP

1 Comments(s)

Copy linkTweet thisAlerts:
@couchmonkeyauthorJan 03.2005 — I think I've got the solution to this problem...it looks like it may be picking up the old session ID courtesy of the session cookie, so I need to unset that. Useful information for others who want to get rid of old sessions:

http://www.php.net/session_destroy
×

Success!

Help @couchmonkey spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.25,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...