php 关闭会话并开始新的会话
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4345014/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Close session and start a new one
提问by álvaro González
I'm testing the implementation of a security check in my PHP sessions. I can successfuly detect whether the session was started from another IP address and I can successfully start a new session. However, the data from the old session gets copied into the new one! How can I start a blank session while preserving the previous session data for its legitimate owner?
我正在我的 PHP 会话中测试安全检查的实现。我可以成功检测会话是否是从另一个 IP 地址启动的,并且我可以成功启动一个新会话。但是,旧会话中的数据会被复制到新会话中!如何启动空白会话,同时为其合法所有者保留先前的会话数据?
This is my code so far, after lots of failed attempts:
到目前为止,这是我的代码,经过多次失败的尝试:
<?php
// Security check
if( isset($_SESSION['ip_address']) && $_SERVER['REMOTE_ADDR']!=$_SESSION['ip_address'] ){
// Check failed: we'll start a brand new session
session_regenerate_id(FALSE);
$tmp = session_id();
session_write_close();
unset($_SESSION);
session_id($tmp);
session_start();
}
// First time here
if( !isset($_SESSION['ip_address']) ){
$_SESSION['ip_address'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['start_date'] = new DateTime;
}
The official documentation about sessions is terribly confusing :(
关于会话的官方文档非常混乱:(
Update:I'm posting some findings I got through trial and error. They seem to work:
更新:我发布了一些我通过反复试验得到的发现。他们似乎工作:
<?php
// Load the session that we will eventually discard
session_start();
// We can only generate a new ID from an open session
session_regenerate_id();
// We store the ID because it gets lost when closing the session
$tmp = session_id();
// Close session (doesn't destroy data: $_SESSION and file remains)
session_destroy();
// Set new ID for the next session
session_id($tmp);
unset($tmp);
// Start session (uses new ID, removes values from $_SESSION and loads the new ones if applicable)
session_start();
采纳答案by Gumbo
Just call session_unsetafter session_regenerate_idto reset $_SESSIONfor the current session:
只需调用session_unsetaftersession_regenerate_id重置$_SESSION当前会话:
if (isset($_SESSION['ip_address']) && $_SERVER['REMOTE_ADDR']!=$_SESSION['ip_address']) {
// Check failed: we'll start a brand new session
session_regenerate_id(FALSE);
session_unset();
}
回答by dqhendricks
when a new user connects to your server, the script should only be able to access that user's session variables. you will want to store other info in a hashed session variable to verify that the session is not being Hymaned. if it is being Hymaned, no reason to start a new session, maybe just exit the script with a warning.
当新用户连接到您的服务器时,脚本应该只能访问该用户的会话变量。您需要将其他信息存储在散列会话变量中,以验证会话没有被劫持。如果它被劫持,没有理由开始新的会话,也许只是退出脚本并发出警告。
here is the function a lot of people use for fingerprinting a session:
这是很多人用于对会话进行指纹识别的功能:
function fingerprint() {
$fingerprint = $server_secure_word;
$fingerprint .= $_SERVER['HTTP_USER_AGENT'];
$blocks = explode('.', $_SERVER['REMOTE_ADDR']);
for ($i=0; $i<$ip_blocks; $i++) {
$fingerprint .= $blocks[$i] . '.';
}
return md5($fingerprint);
}
回答by Adeel
Use this
用这个
unset($_SESSION['ip_address'])
instead of 'unset($_session)' You can also use session_destroy.
而不是 'unset($_session)' 你也可以使用 session_destroy。
回答by Anson Yeung
session_destroywilldestroy session data. For example,
session_destroy会破坏会话数据。例如,
session_start();
$_SESSION["test"] = "test";
session_write_close();
session_start();
// now session is write to the session file
// call session_destroy() will destroy all session data in the file.
session_destroy();
// However the you can still access to $_SESSION here
print_r($_SESSION);
// But once you start the session again
session_start();
// all session data is gone as the session file is now empty
print_r($_SESSION);
will output
会输出
array([test] => "test")array()
