(PHP) 如何正确销毁会话cookie?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2241769/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
(PHP) How to destroy the session cookie correctly?
提问by Tony Stark
I'm trying to correctly log out of an admin user. Here is my function:
我正在尝试正确注销管理员用户。这是我的功能:
function logout()
{
$_SESSION = array(); //destroy all of the session variables
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
}
Basically, once I authenticate the password, I set the session as being valid (only 1 user total). Now, when the admin hits logout, I want to destroy the current session, and also destroy the cookie, so that they can't just go back to the admin page using the stored session cookie in the browser. but my code doesn't work. i hit logout, and i can just directly navigate back to the admin page. however, if i delete my cookies, the functionality is perfect. so what's wrong with the cookie deleting function here?
基本上,一旦我验证了密码,我就会将会话设置为有效(总共只有 1 个用户)。现在,当管理员点击注销时,我想销毁当前会话,并销毁 cookie,这样他们就不能使用浏览器中存储的会话 cookie 返回管理页面。但我的代码不起作用。我点击注销,我可以直接导航回管理页面。但是,如果我删除我的 cookie,该功能是完美的。那么这里的cookie删除功能有什么问题呢?
采纳答案by Pekka
Maybe your problem is not the cookie, but the browser showing a cached version of your admin page. Could that be? If it disappears when you hit F5, it's probably that. This can be sorted by setting the right cache-controlheaders.
也许您的问题不是 cookie,而是浏览器显示管理页面的缓存版本。那可能吗?如果它在你点击时消失F5,可能就是这样。这可以通过设置正确的cache-control标题来排序。
Check out this SO questionon the issue of how to set caching. The question is about exactly the other way round (forcing browsers to cache) but you'll figure out what to change to turn caching off.
回答by MANCHUCK
If you really want to cover all bases try doing:
如果您真的想涵盖所有基础,请尝试执行以下操作:
setcookie (session_id(), "", time() - 3600);
session_destroy();
session_write_close();
That should prevent further access to the session data for the rest of PHP execution. The browser may still show the cookie being set however the $_SESSION super will be blank
这应该可以防止在 PHP 执行的其余部分进一步访问会话数据。浏览器可能仍会显示正在设置的 cookie,但是 $_SESSION super 将为空白
回答by bearfriend
Just a tip for others who are having issues expiring session cookies:
只是给遇到会话 cookie 过期问题的其他人的提示:
PHP - why can't I get rid of this session id cookie?
Always use session_get_cookie_params() as in the answer to the question in the link above.
始终使用 session_get_cookie_params() 作为上面链接中问题的答案。
