会话ID重新生效登录 - 在后续运行中将我从当前会话中踢出

I have this login mechanism with an additional authentication barrier presented before the user can change sensitive information (such as their password, email, etc.) through their profile.

There is a pre-session on the login page that I use for verifying the CSRF token, and I have code responsible for regenerating the session ID before the current session is given the user data and authentication status.

For the login process, everything goes fine. The session ID before and after logging in are different. No problems here. The problem begins when I go to authentication.php, which serves as a barrier presented to the user before they can change their password. Upon successfully validating the provided password against the hash from the database, I would set a new session variable named "authenticated" that gives access to the next page, pass-change.php. Before "authenticated" is set, the session ID must be, again, regenerated.

That's where my problem lies.

Instead of taking me to pass-change.php with a brand new session ID, it destroys the session; consequently, I am taken back to login.php, presumably because $_SESSION['loggedin'] is no longer set.

// This is my session_start() function

    function my_session_start() {
      session_start();
      if (isset($_SESSION['destroyed'])) {
         // checks if session has been 'destroyed' for more than 5 minutes
         if ($_SESSION['destroyed'] < time() - 300) {
           // if true, wipe all session variables and throw exception
           $_SESSION = array();
           throw new Exception('This session is obsolete');
         }
         if (isset($_SESSION['new_session_id'])) {
           // if new_session_id is still set, close the session and attempt to start a new session with it
           session_commit();
           session_id($_SESSION['new_session_id']);
           session_start();
           return;
         }
      }
    }
    my_session_start();

// This is my session_regenerate_id() function

    function my_session_regenerate_id() {
      // new session ID is created and stored for later use
      $new_session_id = session_create_id();
      $_SESSION['new_session_id'] = $new_session_id;
      // set the current session as 'destroyed' and save current time
      $_SESSION['destroyed'] = time();
      // close session
      session_commit();
      // set the new ID we created previously and start a new session
      session_id($new_session_id);
      ini_set('session.use_strict_mode', '0');
      session_start();
      ini_set('session.use_strict_mode', '1');
      // unset these variables as they should not be with the new session
      unset($_SESSION['destroyed']);
      unset($_SESSION['new_session_id']);
    }

// Sessions are always started at the beginning of every file. my_session_regenerate_id() is called right before I define session variables containing authentication flags or user data. This is done at login.php after password is checked against the hash and deemed correct; and also called at authentication.php after the user provides their correct password.

// this is the part where I call my_session_regenerate_id() at authentication.php

if (password_verify($pass, $hash)) {
    my_session_regenerate_id();
    $_SESSION["authenticated"] = time();
    header('Location: pass-change.php');
}

// some pages redirect when you're not logged in

if (!isset($_SESSION["loggedin"])) {
    header('Location: login.php');

I expect the session to retain its status after my_session_regenerate_id() is called at authentication.php, but it gets destroyed. All it should be doing is: set current session as 'destroyed', create new session ID and change to it, while retaining all other user data and authentication flags such as $_SESSION['loggedin'].

EDIT

As requested, here are the results from printing all session variable data:

Before login, at login.php:

array(2) {
  ["usertoken"]=>
  string(64) "519f82f974fb8e79b30ee950be9ba63048278105bd8e983fa832e754aaf47b3c"
  ["usrtokentime"]=>
  int(1553865620)
}

After first run of session ID regeneration, at profile.php:

Session ID changed after login

array(7) {
  ["lastLogin"]=>
  int(1553864997)
  ["loggedin"]=>
  string(0) ""
  ["registerDate"]=>
  int(1553605077)
  ["name"]=>
  string(14) "User Name"
  ["email"]=>
  string(26) "user.email@gmail.com"
  ["type"]=>
  string(1) "A"
  ["usertoken"]=>
  string(0) ""
}

Second run of session ID regeneration. After submitting the form at authentication.php and being thrown back to login.php:

Session ID changed again

array(3) {
  ["authenticated"]=>
  int(1553865804)
  ["usertoken"]=>
  string(64) "ba454364870f5d8cdfd4e5a3213d3a34117f161c098c97060e70327d3a983501"
  ["usrtokentime"]=>
  int(1553865804)
}

So, only "authenticated" session variable survived. All others were wiped out.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dtvq4978 2019-03-29 14:12
关注
Thanks to 04FS, I was able to pinpoint the problem.

The my_session_regenerate_id() function is wiping all the session variables when it is called. The solution is to set all the variables after the function call, and that was easy to do in my code, because a prepared statement object was already available at that point to pull in all the data.

This is how my function call code looks like now at authentication.php:

if (password_verify($pass, $hash)) { my_session_regenerate_id(); $_SESSION["authenticated"] = time(); $_SESSION["lastLogin"] = $res['lastLogin']; $_SESSION["loggedin"] = ""; $_SESSION["registerDate"] = $res['registerDate']; $_SESSION["name"] = $res['name']; $_SESSION["email"] = $res['email']; $_SESSION["type"] = $res['type']; $_SESSION["usertoken"] = ""; header('Location: pass-change.php'); }
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

会话ID重新生效登录 - 在后续运行中将我从当前会话中踢出 php
2019-03-29 12:50

回答 1 已采纳 Thanks to 04FS, I was able to pinpoint the problem. The my_session_regenerate_id() function is wi
从登录会话中获取id并在主页中填充：php和mysql mysql php
2015-07-11 15:48

回答 1 已采纳 while you validate the database with your user_id & password then set : ##index.php $username=$_P
如何从php会话中获取mysql user_id？ mysql php
2019-03-30 11:00

回答 3 已采纳 Or pass a parameter to a function then you will get the id inside the function function get_oglasi
动态网站开发讲课笔记05：会话及会话技术
2023-03-24 08:34

howard2005的博客一旦用户浏览器接受了服务器发送的Cookie信息，就会将它保存在浏览器的缓冲区中，这样，当浏览器后续访问该服务器时，都会在请求消息中将用户信息以Cookie的形式发送给服务器，从而使服务器分辨出当前请求是由哪个...
PHP会话的数据在页面重新加载之间不一致 - 但会话ID是相同的 php
2016-07-05 06:50

回答 2 已采纳 Solved! I'll post my own answer for people with the same problem. Thanks to the people who helped
php - 在CodeIgniter 3中重定向后会话丢失 php
2018-01-28 10:01

回答 7 已采纳 i just solved my problem turns out i have old version of codeigniter 3 i upgrade my CI to the late
在php中设置cookie并通过ajax运行会话 ajax php
2018-05-20 10:50

回答 1 已采纳 Did you using session_start(); before you set value of session. for example: <?php sessi
企业微信-会话内容存档-全流程
2024-02-29 17:41

Defry的博客企业微信-会话内容存档-全流程，保姆级教程，减少踩坑
如何在会话变量中保存从数据库中提取的数组，以将其发送到php中的其他网页 php
2019-03-13 11:37

回答 1 已采纳 The reason why your print_r looked good is that you put into the loop. You rewrite the $_SESSION['
如何从谷歌登录获取PHP会话数据 php
2018-07-22 21:10

回答 1 已采纳 There wasn't a conventional way to do this, but I was able to get the information from the google
matlab附加程序下载过程中一点开老是显示有正在运行的会话 matlab
2022-10-12 20:29

回答 1 已采纳没有遇到过这种问题诶……进程除了“应用”一栏，可能还有有一些在“后台进程”里也得关……？要不考虑以下重启之类的吧……祝好~
zookeeper原理篇-Zookeeper会话机制(1)
2024-04-18 13:50

2401_84132381的博客代码真的是重质不重量，质量高的代码，是当前代码界提倡的，当然写出高质量的代码肯定需要一个相当高的专业素养，这需要在日常的代码书写中逐渐去吸收掌握，谁不是每天都在学习呀，目的还不是为了一个，为实现某个...
如何在php中设置从数据库中获取的项目的会话[关闭] php
2019-01-02 07:28

回答 1 已采纳 Try this one: In that file: <div class="item-container"> <h2><strong><?
Zookeeper会话管理源码深入探讨
2022-03-03 14:26

徐同学呀的博客深入探讨会话创建、分桶管理、清理和激活原理。
《Docker极简教程》--Docker在生产环境的应用--Docker在生产环境的部署
2024-02-25 20:37

喵叔哟的博客持续集成（Continuous Integration，CI）和持续部署（Continuous Deployment...环境配置是部署流程中的关键步骤之一，它涉及将应用程序所需的配置参数、环境变量等设置到容器中，以确保应用程序能够在容器中正确运行。
没有解决我的问题, 去提问

悬赏问题

¥15 如何在scanpy上做差异基因和通路富集？
¥20 关于#硬件工程#的问题，请各位专家解答！
¥15 关于#matlab#的问题：期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707，使系统具有较小的超调量
¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
¥30 截图中的mathematics程序转换成matlab
¥15 动力学代码报错，维度不匹配
¥15 Power query添加列问题
¥50 Kubernetes&Fission&Eleasticsearch
¥15 報錯：Person is not mapped，如何解決？
¥15 c++头文件不能识别CDialog

会话ID重新生效登录 - 在后续运行中将我从当前会话中踢出

1条回答 默认 最新

悬赏问题

1条回答默认最新