Logging user out after checkout, security issue?
Posted: Mon May 21, 2007 8:17 pm
I was discussing security with somebody who is using the same ecommerce software as I am (non-php), and I asked them how come the session was destroyed after the user checks out. He said it was for security purposes, so naturally I asked what security issues this is supposed to protect against. He said it was for protecting a user should they log in on a public computer.
other guy wrote:If I leave the browser window open, you can always hit the back button to steal my info.
Am I wrong? Is there some hidden risk I am not seeing? Thanks!my response wrote:I'm not so sure that this "feature" helps with security any more than not having it. A user isn't guaranteed to check out simply because they are logged in. The same threat is posed regardless of whether the user's session is destroyed after checkout or not. The user could log in and never check out, and now they are just as vulnerable.
If it were for security, all that would be necessary is to regenerate the session id (if anything) to prevent session fixation.