PHP - 为什么我不能摆脱这个会话id cookie?

时间:2021-07-04 06:52:47

I'm trying to troubleshoot a logout function for a web app. When you're logged in, the app has several cookies set for its domain. Here's the current logout procedure:

我正在尝试解决Web应用程序的注销功能。当您登录时,该应用程序会为其域设置多个Cookie。这是当前的注销程序:

  • You click a link, which sends you to a logout page

    • 单击链接,该链接将您转到注销页面

  • The logout page runs a function that calls session_destroy() and also loops through all the cookies for the domain and sets them to expire in the past (see code below)

    • 注销页面运行一个调用session_destroy()的函数,并循环遍历域的所有cookie并将它们设置为过去的过期(请参阅下面的代码)

  • The logout page then redirects to a login page, which is straight HTML.

    • 然后,注销页面重定向到登录页面,这是直接的HTML。

At the end of this process, all the other cookies are unset, but the PHPSESSID cookie is still there, has the same value, and is still set to expire at the end of the session.

在此过程结束时,所有其他cookie都未设置,但PHPSESSID cookie仍然存在,具有相同的值,并且仍设置为在会话结束时到期。

What am I missing here?

我在这里想念的是什么?

Here's the logout function I mentioned above:

这是我上面提到的注销功能:

function log_out_current_user() {

        // Destroy the session
        if (isset($_SESSION)) {
            session_destroy();
        }

        // Expire all of the user's cookies for this domain:
        // give them a blank value and set them to expire
        // in the past
        if (isset($_SERVER['HTTP_COOKIE'])) {
            $cookies = explode(';', $_SERVER['HTTP_COOKIE']);
            foreach($cookies as $cookie) {
                $parts = explode('=', $cookie);
                $name = trim($parts[0]);
                setcookie($name, '', time()-1000);
                setcookie($name, '', time()-1000, '/');
            }
            // Explicitly unset this cookie - shouldn't be redundant,
            // but it doesn't hurt to try
            setcookie('PHPSESSID', '', time()-1000);
        }

    }

1 个解决方案

#1

30  

You are not removing it with the same parameters as it was created. Use session_get_cookie_params to obtain those. To be portable you should get the name of the cookie via session_name. Here's a small script to do that:

您没有使用与创建时相同的参数删除它。使用session_get_cookie_params来获取它们。要便于携带,您应该通过session_name获取cookie的名称。这是一个小脚本:

$params = session_get_cookie_params();
setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));

#1

30  

You are not removing it with the same parameters as it was created. Use session_get_cookie_params to obtain those. To be portable you should get the name of the cookie via session_name. Here's a small script to do that:

您没有使用与创建时相同的参数删除它。使用session_get_cookie_params来获取它们。要便于携带,您应该通过session_name获取cookie的名称。这是一个小脚本:

$params = session_get_cookie_params();
setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
标签:

相关文章