問題描述

我正在嘗試對網絡應用的注銷功能進行故障排除.當您登錄時，該應用程序為其域設置了多個 cookie.這是當前的注銷程序:

I'm trying to troubleshoot a logout function for a web app. When you're logged in, the app has several cookies set for its domain. Here's the current logout procedure:

• 您單擊一個鏈接，該鏈接會將您轉到注銷頁面
• 注銷頁面運行一個函數，該函數調用 session_destroy() 并循環訪問域的所有 cookie 并將它們設置為過去過期(請參閱下面的代碼)
• 注銷頁面然后重定向到登錄頁面，這是純 HTML.

• You click a link, which sends you to a logout page
• The logout page runs a function that calls session_destroy() and also loops through all the cookies for the domain and sets them to expire in the past (see code below)
• The logout page then redirects to a login page, which is straight HTML.

在此過程結束時，所有其他 cookie 都未設置，但 PHPSESSID cookie 仍然存在，具有相同的值，并且仍設置為在會話結束時過期.

At the end of this process, all the other cookies are unset, but the PHPSESSID cookie is still there, has the same value, and is still set to expire at the end of the session.

我在這里遺漏了什么?

這是我上面提到的注銷功能:

Here's the logout function I mentioned above:

function log_out_current_user() {

        // Destroy the session
        if (isset($_SESSION)) {
            session_destroy();
        }

        // Expire all of the user's cookies for this domain:
        // give them a blank value and set them to expire
        // in the past
        if (isset($_SERVER['HTTP_COOKIE'])) {
            $cookies = explode(';', $_SERVER['HTTP_COOKIE']);
            foreach($cookies as $cookie) {
                $parts = explode('=', $cookie);
                $name = trim($parts[0]);
                setcookie($name, '', time()-1000);
                setcookie($name, '', time()-1000, '/');
            }
            // Explicitly unset this cookie - shouldn't be redundant,
            // but it doesn't hurt to try
            setcookie('PHPSESSID', '', time()-1000);
        }

    }

推薦答案

您沒有使用與創建時相同的參數來刪除它.使用 session_get_cookie_params 來獲取這些.為了便于攜帶，您應該通過 session_name 獲取 cookie 的名稱.這是一個小腳本來做到這一點:

You are not removing it with the same parameters as it was created. Use session_get_cookie_params to obtain those. To be portable you should get the name of the cookie via session_name. Here's a small script to do that:

$params = session_get_cookie_params();
setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));

這篇關于PHP - 為什么我不能擺脫這個會話 ID cookie?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！