Page 1 of 1

Logging user out after checkout, security issue?

Posted: Mon May 21, 2007 8:17 pm
by Luke
I was discussing security with somebody who is using the same ecommerce software as I am (non-php), and I asked them how come the session was destroyed after the user checks out. He said it was for security purposes, so naturally I asked what security issues this is supposed to protect against. He said it was for protecting a user should they log in on a public computer.
other guy wrote:If I leave the browser window open, you can always hit the back button to steal my info.
my response wrote:I'm not so sure that this "feature" helps with security any more than not having it. A user isn't guaranteed to check out simply because they are logged in. The same threat is posed regardless of whether the user's session is destroyed after checkout or not. The user could log in and never check out, and now they are just as vulnerable.

If it were for security, all that would be necessary is to regenerate the session id (if anything) to prevent session fixation.
Am I wrong? Is there some hidden risk I am not seeing? Thanks!

Posted: Mon May 21, 2007 10:13 pm
by Christopher
I always clear the session of at least the shopping cart and ordering information upon checkout. But that's to prevent accidental reordering by the user. If you allow "one-click" ordering the signing them out might make sense. But if you require a valid credit card number to be entered then I am not sure who would order stuff to be shipped to someone else?!?

Posted: Tue May 22, 2007 1:47 am
by Kieran Huggins
Also, I hate it when sites kill my back-button. As long as it's there I want to be able to use it.