PHP - 为什么我不能摆脱这个会话 ID cookie?
我正在尝试对网络应用的注销功能进行故障排除.当您登录时,该应用程序为其域设置了多个 cookie.这是当前的注销程序:
I'm trying to troubleshoot a logout function for a web app. When you're logged in, the app has several cookies set for its domain. Here's the current logout procedure:
- 您单击一个链接,该链接会将您转到注销页面
- 注销页面运行一个函数,该函数调用
session_destroy()
并循环访问域的所有 cookie 并将它们设置为过去过期(请参阅下面的代码) - 注销页面然后重定向到登录页面,这是纯 HTML.
- You click a link, which sends you to a logout page
- The logout page runs a function that calls
session_destroy()
and also loops through all the cookies for the domain and sets them to expire in the past (see code below) - The logout page then redirects to a login page, which is straight HTML.
在此过程结束时,所有其他 cookie 都未设置,但 PHPSESSID
cookie 仍然存在,具有相同的值,并且仍设置为在会话结束时过期.
At the end of this process, all the other cookies are unset, but the PHPSESSID
cookie is still there, has the same value, and is still set to expire at the end of the session.
我在这里遗漏了什么?
这是我上面提到的注销功能:
Here's the logout function I mentioned above:
function log_out_current_user() {
// Destroy the session
if (isset($_SESSION)) {
session_destroy();
}
// Expire all of the user's cookies for this domain:
// give them a blank value and set them to expire
// in the past
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
// Explicitly unset this cookie - shouldn't be redundant,
// but it doesn't hurt to try
setcookie('PHPSESSID', '', time()-1000);
}
}
推荐答案
您没有使用与创建时相同的参数来删除它.使用 session_get_cookie_params
来获取这些.为了便于携带,您应该通过 session_name
获取 cookie 的名称.这是一个小脚本来做到这一点:
You are not removing it with the same parameters as it was created. Use session_get_cookie_params
to obtain those. To be portable you should get the name of the cookie via session_name
. Here's a small script to do that:
$params = session_get_cookie_params();
setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
相关文章