Logging user out after checkout, security issue?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Logging user out after checkout, security issue?

Post by Luke »

I was discussing security with somebody who is using the same ecommerce software as I am (non-php), and I asked them how come the session was destroyed after the user checks out. He said it was for security purposes, so naturally I asked what security issues this is supposed to protect against. He said it was for protecting a user should they log in on a public computer.
other guy wrote:If I leave the browser window open, you can always hit the back button to steal my info.
my response wrote:I'm not so sure that this "feature" helps with security any more than not having it. A user isn't guaranteed to check out simply because they are logged in. The same threat is posed regardless of whether the user's session is destroyed after checkout or not. The user could log in and never check out, and now they are just as vulnerable.

If it were for security, all that would be necessary is to regenerate the session id (if anything) to prevent session fixation.
Am I wrong? Is there some hidden risk I am not seeing? Thanks!
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I always clear the session of at least the shopping cart and ordering information upon checkout. But that's to prevent accidental reordering by the user. If you allow "one-click" ordering the signing them out might make sense. But if you require a valid credit card number to be entered then I am not sure who would order stuff to be shipped to someone else?!?
(#10850)
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

Also, I hate it when sites kill my back-button. As long as it's there I want to be able to use it.
Post Reply