PHP会话 - 注销的最佳实践

I'm working on a PHP Application that uses the session_destroy() method to log a user out of the system, because it is considered good practice to destroy all session information on logout.

However, I'd like to store some information like "Last login date, Last Username" etc indefinitely (until the browser's cache/cookies are flushed). This information will be used to build subtle personalisation features for the user/people using the same browser.

I cannot store this data on the server because this information needs to be identified with the Browser, not a User of the system, and I have no data that uniquely identifies a browser reliably.

What is the best/recommended way of going about this? I'm currently thinking multiple sessions, and using one of them to store this kind of information, and not destroying it.

Any good advice would be appreciated. Security is a concern for this application. Thanks in advance!

Edit: Bottom line: Is not destroying a session completely opening up security risks like session hijacking?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongnachuang6635 2015-12-29 09:39
关注
It is better (and you have to) to store the last_login and last_login_ip in the users table in the database than in the client side. What if the browser is crashed, or if the user logs in using another browser / computer.

The session_destroy() is the right one. Or if you wanna do more, you can reset the session, which is not recommended and call session_destroy() like this:

$_SESSION = array(); session_destroy();

But I would recommend clearing only the particular session information that you have set using the application. Say, for example:

unset($_SESSION["user"]);

because remember, the data I'm storing here would be used after the user has been logged out, which means I have no way of identifying the user

You are storing the data on the database, which means, there's no way, you can mistake. The comment is crazy. Let me give an example for what you said first. Consider the last_login and last_login_ip, and you do this:

Query_The_Server("UPDATE `users` SET `last_login`=NOW(), `last_login_ip`='{$_SERVER["REMOTE_ADDR"]}' WHERE `user_id`={$_SESSION["user"]["user_id"]}");

Now tell me, how can the above thing fail?

Example: in the login page, I want to say "Last logged in user on this machine was: John".

This calls for a privacy issue. Say, for eg., I log into the app, and logout, and my friend logs in or some other person, who's waiting to hit on me, logs in. He finds that I have logged in previously and this might be a privacy issue. Think about it.

But still, if this is what you wanna do, then yes, do not use session_destroy(), instead use unset($_SESSION["user"]); or whatever you stored to identify the user and don't touch the last_user.

Another idea would be:

$_SESSION["last_user"] = $_SESSION["user"] unset($_SESSION["user"]); // Technically logging out. unset($_SESSION["last_user"]["private_stuff"]); // Make sure you clear the private stuff.
解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

PHP - 管理会话 - 不注销 php
2014-06-25 04:55

回答 4 已采纳 Instead of calling unset() on each session var, you can simply use session_destroy(), which will d
PHP会话超时/注销 php
2015-11-17 00:53

回答 3 已采纳 When you exit your browser, it will clear all SESSIONS. That is why you always have to relogin eve
如何在php中设置登录和注销会话？ html5 php
2016-10-02 16:10

回答 2 已采纳 Your home.php should check if user is logged in or not. Just add if statement at the top. Someth
会话：会话注销
2021-02-20 06:18

会议会话注销
强制用户注销会话PHP php
2012-05-02 04:05

回答 9 已采纳 Either you need to check every time they load a page, or possibly look at an Ajax call at set inte
注销时，PHP索引页面会发出会话未知错误 php
2017-04-13 09:05

回答 1 已采纳 The issue is that you don't guard the situation where the email session var is unset, as is after
Facebook连接 - 注销+销毁会话 facebook php
2010-11-21 22:01

回答 2 已采纳 I could be wrong but I am pretty sure Facebook saves the access token in a cookie called fbs_YOURA
php会话注销,正确的方式从PHP中的会话注销
2021-04-23 10:50

weixin_39866817的博客从PHP manual年的PHP manual：// Initialize the session.// If you are using session_name("something"), don't forget it now!session_start();// Unset all of the session variables.$_SESSION = array();// If...
会话过期时的PHP +注销成员 php
2012-03-10 23:30

回答 2 已采纳 You need to validate the session, you already headed into that direction with your code, but it's
检查PHP会话是否存在不起作用 php
2014-02-09 06:23

回答 1 已采纳 You need to add <?php session_start(); ?> on each page in the very beginning.. So, the c
自动注销会话脚本，超时（php） php
2011-08-08 15:25

回答 1 已采纳 Easier way to do that is by using timeout - when user access any page you set status = 1 and last_
PHP中SESSION的注销与清除
2020-12-18 01:01

2、session_start()初始化session，第一次访问会生成一个唯一会话ID保存在客户端（是基于cookie保存的），用户下次访问时，session_start()会检查有没有会话ID，如果有浏览器会带着这个会话ID过来（通过发送头文件传...
会话从所有浏览器/设备注销 php
2015-11-16 05:15

回答 1 已采纳 A new session is created for each request from the browser if you are using multiple browsers to o
php中注销会话和销毁,PHP中SESSION的注销与清除
2021-04-30 05:16

胡钥的博客 PHP中SESSION的注销与清除发布于 2015-10-07 17:55:04 | 58 次阅读 | 评论: 0 | 来源: 网友投递PHP开源脚本语言PHP(外文名: Hypertext Preprocessor，中文名：“超文本预处理器”)是一种通用开源脚本语言。...
php会话注销,PHP Session问题？注销，然后重新登录;会话彻底抹去
2021-04-23 10:50

J Sing的博客我的PHP会话给了我另一个头痛。我刚在PHP代码中创建了一个注销页面。当用户点击该链接时，他将退出系统。我从在线的几本PHP手册中获取了我的代码。代码工作正常。没问题.............除了这个：当用户登录我的网站时...
没有解决我的问题, 去提问

悬赏问题

¥15 划分vlan后不通了
¥15 GDI处理通道视频时总是带有白色锯齿
¥20 用雷电模拟器安装百达屋apk一直闪退
¥15 算能科技20240506咨询（拒绝大模型回答）
¥15 自适应 AR 模型参数估计Matlab程序
¥100 角动量包络面如何用MATLAB绘制
¥15 merge函数占用内存过大
¥15 使用EMD去噪处理RML2016数据集时候的原理
¥15 神经网络预测均方误差很小但是图像上看着差别太大
¥15 单片机无法进入HAL_TIM_PWM_PulseFinishedCallback回调函数

PHP会话 - 注销的最佳实践

2条回答 默认 最新

悬赏问题

2条回答默认最新