doudeng3008 2016-08-25 11:57
浏览 55
已采纳

破坏/重置后PHP会话无效,保持活动状态

i have found a strange issue on my server (php 5.4.0, apache) regarding session handling in php.

i have a function that start the session which contains the following code and is called always before anything else in my application:

static function startSession()
{
    $httponly = true;
    $secure = true;

    if (ini_set('session.use_only_cookies', 1) === FALSE) {
        exit();
    }

    session_name("my_session");

    $cookieParams = session_get_cookie_params();

    session_set_cookie_params(
        60*60,
        $cookieParams["path"],
        $cookieParams["domain"],
        $secure,
        $httponly
    );

    session_start();
}

Then there is a login procedure which does something like that:

$_SESSION['key1] = 'some value';

session_regenerate_id(true);

And finally there is a logout function:

static function logout()
{
    $_SESSION = array();

    $params = session_get_cookie_params();

    setcookie(
        session_name(),
        '',
        time() - 42000,
        $params["path"],
        $params["domain"],
        $params["secure"],
        $params["httponly"]
    );

    return session_destroy();
}

Now to the issue: When i login the following happens:

startSession();
...
$_SESSION['key1'] = 'some_value';
...

Somehow in the future i call:

logout();

session_destroy(); returns true, $_SESSION is reset. everything fine.

I then retest the request by sending the session cookie again to request some information and the session is again alive. All the information are sill there.

On the server i can see a session file that is generated:

sess_ : 394B

i have the following session setup:

ini_set('session.hash_function', 'sha512');
ini_set('session.entropy_file', '/dev/urandom');
ini_set('session.entropy_length', 256);
ini_set('session.use_trans_sid', 0);
ini_set('session.use_only_cookies', 1);
ini_set('session.cookie_lifetime', 0);
ini_set('session.use_strict_mode', 1);
ini_set('session.cache_limiter', 'nocache');

my session_save_path() is somewhere in /var/www/html/sites/....

What am i missing or doing wrong?

Thanks in advance

Dennis

  • 写回答

1条回答 默认 最新

  • douxian8883 2016-08-26 08:45
    关注

    Ok i found the solution myself. i should have added, that i am sending requests from the iOS using objective c.

    For all requests i was sending the cookie with the requests.

    The problem was, that the logout wasn't sending the cookie. So i requested the logout function. As said all requests started a session. Then i reset the session and destroyed it.

    That means: request login - generates session: abc123 request logout - generates new session: xyz456 - log out session xyz456 - abc123 stays logged in.

    So my advice is, make sure you are destroying the right session :)

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 我下载图形界面重启完就变成这样了,打字也打不了,动也动不了,该怎么解决(操作系统-centos)
  • ¥15 VBA中在窗体中遍历所有checkbox控件,提取出被选中的checkbox的caption值
  • ¥15 在Ubuntu上有什么命令,或者是系统文件能告诉我链接nvme ssd的pcie槽位是不是支持热插拔功能?
  • ¥15 ansys license许可证问题
  • ¥20 QQ号和密码都能正常登录微信 QQ号和密码登录微信显示密码错误
  • ¥15 qiankun主应用注册子应用提示跨域
  • ¥15 单片机RTOS Kernel与应用分离开发,Kernel如何调起应用?
  • ¥15 快手小店商家版APP怎么第三方APP跳转到指定用户聊天界面
  • ¥15 为什么AVL fire软件仿真时的步长改变了,仿真结果也会改变
  • ¥100 如何帮我写一个java小游戏