Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I was discussing security with somebody who is using the same ecommerce software as I am (non-php), and I asked them how come the session was destroyed after the user checks out. He said it was for security purposes, so naturally I asked what security issues this is supposed to protect against. He said it was for protecting a user should they log in on a public computer.
other guy wrote:If I leave the browser window open, you can always hit the back button to steal my info.
my response wrote:I'm not so sure that this "feature" helps with security any more than not having it. A user isn't guaranteed to check out simply because they are logged in. The same threat is posed regardless of whether the user's session is destroyed after checkout or not. The user could log in and never check out, and now they are just as vulnerable.
If it were for security, all that would be necessary is to regenerate the session id (if anything) to prevent session fixation.
Am I wrong? Is there some hidden risk I am not seeing? Thanks!
I always clear the session of at least the shopping cart and ordering information upon checkout. But that's to prevent accidental reordering by the user. If you allow "one-click" ordering the signing them out might make sense. But if you require a valid credit card number to be entered then I am not sure who would order stuff to be shipped to someone else?!?