- Fixed destroy() not killing the correct session

- Passing the sessionid and kp3 is now required, to make sure its the correct session
- Removed deleting cookies, which is done by logout.php ... its redundent

phpgwapi/inc/class.sessions.inc.php

@@ -486,22 +486,13 @@
 								. "where sessionid='" . $this->sessionid."'",__LINE__,__FILE__);
 		}
 
-		function destroy($sessionid='',$kp3='')
+		function destroy($sessionid, $kp3)
 		{
-			if(empty($sessionid) || !$sessionid)
+			if (! $sessionid && $kp3)
-			{
-				$sessionid = $GLOBALS['HTTP_GET_VARS']['sessionid'] ? $GLOBALS['HTTP_GET_VARS']['sessionid'] : $GLOBALS['HTTP_COOKIE_VARS']['sessionid'];
-				$kp3       = $GLOBALS['HTTP_GET_VARS']['kp3']       ? $GLOBALS['HTTP_GET_VARS']['kp3']       : $GLOBALS['HTTP_COOKIE_VARS']['kp3'];
-			}
-
-			if(!$sessionid && $kp3)
 			{
 				return False;
 			}
 
-			$GLOBALS['phpgw_info']['user']['sessionid'] = $sessionid;
-			$GLOBALS['phpgw_info']['user']['kp3'] = $kp3;
-	 
 			$GLOBALS['phpgw']->db->transaction_begin();
 			$GLOBALS['phpgw']->db->query("delete from phpgw_sessions where session_id='"
 								. $sessionid . "'",__LINE__,__FILE__);
@@ -509,16 +500,12 @@
 								. $sessionid . "'",__LINE__,__FILE__);
 			$GLOBALS['phpgw']->db->query("update phpgw_access_log set lo='" . time() . "' where sessionid='"
 								. $sessionid . "'",__LINE__,__FILE__);
-			if ($GLOBALS['phpgw_info']['server']['usecookies'])
+
+			// Only do the following, if where working with the current user
+			if ($sessionid == $GLOBALS['phpgw_info']['user']['sessionid'])
 			{
-				Setcookie('sessionid');
-				Setcookie('kp3');
-				if ($GLOBALS['phpgw_info']['multiable_domains'])
-				{
-					Setcookie('domain');
-				}
-			}
 				$this->clean_sessions();
+			}
 			$GLOBALS['phpgw']->db->transaction_commit();
 
 			return True;