why is php generating the same session ids everyti

2019-01-19 07:35发布

站内问答 / PHP
1409 7 6

i've configured wamp in my system, and am doing the development cum testing in this local environment. i was working on the logout functionality, and happened to notice that the session ids being generated are same within the browser.

Eg - chrome always generates session id = abc, for all users even after logging out and logging in; IE always generates session id = xyz, for all users.

Is this an issue with wamp/ my test environment?

please find below my logout php script -

<?php
session_start();
$sessionid = session_id();
echo $sessionid;
session_unset(); 
session_destroy(); 
?>

7条回答
够拽才男人
2楼-- · 2019-01-19 07:59

session_unset() and session_destroy() do not delete the session cookie. You have to manually unset it with a setcookie() call.

session_unset is the converse of session_register(), and session_destroy simply cleans out $_SESSION without affecting the cookie.

查看更多
0人赞 添加讨论(0) 举报
Fickle 薄情
3楼-- · 2019-01-19 08:12

You probably still have the cookie with the old session ID in it as neither session_unset nor session_destroy deletes that cookie:

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

So use setcookie to invalidate the session ID cookie after logout:

if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}

Another recommendation is to regenerate the session ID after successful authentication using session_regenerate_id(true).

查看更多
0人赞 添加讨论(0) 举报
Juvenile、少年°
4楼-- · 2019-01-19 08:15

Will work. Please try this

session_start(); 
session_regenerate_id(TRUE); 
session_destroy();
查看更多
0人赞 添加讨论(0) 举报
放荡不羁爱自由
5楼-- · 2019-01-19 08:15

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

Taken from http://php.net/manual/en/function.session-destroy.php

查看更多
0人赞 添加讨论(0) 举报
唯我独甜
6楼-- · 2019-01-19 08:15

To stop session hijacking follow the below code in PHP

    session_start();

    /* to stop session hijacking */

    // Generate new session without destroying the old one
    session_regenerate_id(false);

    // Fetch current session ID and close both sessions to allow other scripts to use them
    $newSession = session_id();
    session_write_close();

    // Assign session ID to the new one, and start it back up again
    session_id($newSession);

    session_start();
查看更多
0人赞 添加讨论(0) 举报
乱世女痞
7楼-- · 2019-01-19 08:17

You must regenerate the session id using function session_regenerate_id(). Without that, the session ID would be the same between page refreshes.

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)