duanran3115
2017-01-05 19:46
浏览 86
已采纳

php session_start()忽略已创建的会话

I have set up a local webserver and put in a project I've been working on (the code was already working).

The problem I see is that session_start() ignores the already created sessions and keeps creating new ones (I can see a new file every time I click a link or refresh the page), even though the session variables get written into the file.

The sessions folder is owned by the http user (the default one in the php-fpm config).

This is the session config from php.ini:

session.save_handler = files
session.save_path = "/srv/http/sessions"
session.use_strict_mode = 1
session.use_cookies = 1
session.cookie_secure = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly = 1
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5

Anyone knows what's going on?

This is the function that starts the session:

public static function sec_session_start() {
    if (ini_set('session.use_only_cookies', 1) === FALSE) {
        $session_error = 'Error: Cannot create new user session.';
        return $session_error;
    }
    else {
        $session_name   = 'session_id';
        $domain         = 'domain.com';
        $secure         = TRUE;
        $httpOnly       = TRUE;                         // prevents cookie theft

        // Get the current cookies params.
        $cookieParams = session_get_cookie_params();
        // Set the current cookies params.
        session_set_cookie_params($cookieParams['lifetime'], $cookieParams['path'], $domain, $secure, $httpOnly);

        // Sets the session name to the one set above.
        session_name($session_name);
        session_start();                                // Start the PHP session

        if (!isset($_SESSION['CREATED'])) {
            $_SESSION['CREATED'] = time();
        } else if ((time() - $_SESSION['CREATED']) > 1800) {
            // session started more than 30 minutes ago
            session_regenerate_id(TRUE);                // change session ID for the current session and invalidate old session ID
            $_SESSION['CREATED'] = time();              // update creation time
        }
/*
        $hasExpired = FALSE;

        if (isset($_SESSION['staff_id'], $_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > 9999) {  // 300 (5 mins)
            // last request was more than 5 minutes ago
            $_SESSION = array();                        // unset $_SESSION variable for the run-time
            $params = session_get_cookie_params();      // Get session parameters
            setcookie(session_name(),                   // Delete the actual cookie
                      '',
                      time() - 3600,
                      $params["path"],
                      $params["domain"],
                      $params["secure"],
                      $params["httponly"]);
            session_destroy();                          // destroy session data in storage

            $hasExpired = TRUE;                         // now we know the user has lost his session for inactivity
        }

        $_SESSION['LAST_ACTIVITY'] = time();            // update last activity time stamp*/
    }

    //return $hasExpired;
}
  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongtaogu8510 2017-01-05 21:30
    已采纳

    My bad, forgot to add COOKIE to the variables_order directive:

    variables_order = "GPCS"
    

    So that means that the server needs to access the cookie to actually know if a current session (for the user) already exists, no way to know otherwise.

    已采纳该答案
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题