- Better session handling for the logout/wrong password case

SVN:code[21]

application/loginwebpage.class.inc.php

@@ -90,6 +90,17 @@ h1 {
 		}
 		if (!UserRights::Login($sAuthUser, $sAuthPwd))
 		{
+			// Unset all of the session variables.
+			$_SESSION = array();
+			// If it's desired to kill the session, also delete the session cookie.
+			// Note: This will destroy the session, and not just the session data!
+			if (isset($_COOKIE[session_name()]))
+			{
+				setcookie(session_name(), '', time()-3600, '/');
+			}		
+			// Finally, destroy the session.
+			session_destroy();
+
 			$oPage = new login_web_page();
 		    $oPage->DisplayLoginForm( true /* failed attempt */);
 		    $oPage->output();