真正破坏 PHP 会话?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/508959/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Truly destroying a PHP Session?
提问by Nicholas Kreidberg
I have heard mixed responses on this topic, so what is a sure fire way to destroy a PHP session?
我听到了关于这个主题的不同反应,那么销毁 PHP 会话的可靠方法是什么?
session_start();
if(isset($_SESSION['foo'])) {
unset($_SESSION['foo'];
...
}
session_destroy();
In the most simple of cases, would this sufficient to truly terminate the session between the user and the server?
在最简单的情况下,这是否足以真正终止用户和服务器之间的会话?
回答by Gumbo
To destroy a session you should take the following steps:
要销毁会话,您应该执行以下步骤:
- delete the session data
- invalidate the session ID
- 删除会话数据
- 使会话 ID 无效
To do this, I'd use this:
要做到这一点,我会用这个:
session_start();
// resets the session data for the rest of the runtime
$_SESSION = array();
// sends as Set-Cookie to invalidate the session cookie
if (isset($_COOKIE[session_name()])) {
$params = session_get_cookie_params();
setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
}
session_destroy();
And to be sure that the session ID is invalid, you should only allow session IDs that were being initiated by your script. So set a flag and check if it is set:
为了确保会话 ID 无效,您应该只允许由脚本启动的会话 ID。因此,设置一个标志并检查它是否已设置:
session_start();
if (!isset($_SESSION['CREATED'])) {
// invalidate old session data and ID
session_regenerate_id(true);
$_SESSION['CREATED'] = time();
}
Additionally, you can use this timestamp to swap the session ID periodically to reduce its lifetime:
此外,您可以使用此时间戳定期交换会话 ID 以减少其生命周期:
if (time() - $_SESSION['CREATED'] > ini_get('session.gc_maxlifetime')) {
session_regenerate_id(true);
$_SESSION['CREATED'] = time();
}
回答by Eli
The PHP Manual addresses this question.
PHP 手册解决了这个问题。
You need to kill the session and also remove the session cookie (if you are using cookies).
您需要终止会话并删除会话 cookie(如果您正在使用 cookie)。
See this page (especially the first example):
请参阅此页面(尤其是第一个示例):
回答by Alnitak
In the one site I've made where I did use PHP sessions, I never actually destroy the session.
在我创建的一个站点中,我确实使用了 PHP 会话,但实际上我从未破坏过会话。
The problem is that you pretty much have to call session_start()to check for your $_SESSIONvariables, at which point, lo and behold, you've created another session anyway.
问题是您几乎必须调用session_start()以检查您的$_SESSION变量,在这一点上,您瞧,无论如何您已经创建了另一个会话。
Hence on my site I just made sure that everypage called session_start(), and then just unset()those parts of the session state that matter when the user logs off.
因此,在我的网站上,我只是确保每个页面都调用session_start(),然后只是unset()会话状态的那些部分在用户注销时很重要。
回答by zloctb
$_SESSION = [];
@unset($_COOKIE[session_name()]);
session_destroy();
