[ic] Logout question
Kevin Walsh
interchange-users@icdevgroup.org
Tue Jan 7 02:47:00 2003
Sippo Laisaari [sippo@laisaari.com] wrote:
>
> I am building a Finnish web shop, and when done, I contribute the
> admin translation to you. (there is a lot of stuff, and might take some time)
>
It always time to Finnish. :-)
>
> How to invalidate user session when user presses logout button?
> Now it nicely tels that user has logged out, but still all user
> information is still there and can be modified pressing Services button.
>
> Also a session must be invalidated after non registered user checkout.
> Now the Service button allows to modify the dummy profile. The point is:
> Client has no idea whate the dummy userid / password is, but still
> the information is there after checkout.
>
There's no need to 'invalidate' the session. You can clear the user's
session variables by adding a clear=1 parameter to the [userdb logout]
tag. The session can be safely reused once the user has logged out.
>
> This is also a security matter, you can shop using a public terminal and
> after you the next user can see all you stuff if he/she is clever enough
> and also could order some extra stuff to you :-(
>
Well, they could but they'd have to use their own credit card as that
information is not stored in the session at all.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin@cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/