开发者

PHP Session / Cookie arrays seem to be conflicting on the "same" site

I have a site which houses many various directories (such as admins, members, demo users, etc). Initially, I created a unique session name for each and every directory of the site but this became tedious as well as became an impossible headache when destroying sessions for a single user on one directory (and in turn killing his session with the others). Additionally, I believe the cookies can be shared across a single browser window when tested locally (xampp) and on our outside server hosted by media temple.

(e.g. $_SESSION['name'] would show on both sites if set on one).

What is the proper way to handle such activity, ESPECIALLY when on the same site (think an admin user logged in, he logs in as a demo user to give a product demonstration then chooses to log out - which in turn logs him out of demo but not admin.

Any good online resources for such?

Logout

thought it might help to show my current logout script:

<?php
    session_start();

    $_SESSION = array();

    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }

    session_unset();
    session_rege开发者_如何学Cnerate_id(true);
    header("Location: page");
    exit;
?>


You should not try to manually set the session cookie. PHP does all of that for you.

If you want to end a session, use session_destroy, which completely nukes the entire session from orbit. You don't need to do anything else, like regenerate the ID.

You do not need to and should not use session_unset, it does not do anything in modern PHP.

If you need to have multiple sessions on a single domain, you want to use session_set_cookie_params and session_name before you call session_start to define the cookie path and cookie name for that specific "sub-site." Do this independently for each sub-site. Don't reuse the same session cookie name with different paths, that will cause quite a bit of trouble.


Sessions have a few rules you need to follow quite closely in order to get things going correctly. If you don't you'll suffer from all these "Gotcha's" that will haunt your application.

Use a Framework

I recommend you use a PHP framework, most of them handle sessions automatically. Something like Kohana, CodeIgniter, Zend etc.

A more practical response

Using a framework on something you've already developed isn't simple, In order to avoid them I recommend do the following:

Copy what a framework would do: 1. Create a session_init.php file, and a bootstrap.php file. At the top of every file viewable file, include your bootstrap file, and then at the top of the bootstrap file include session_init. 2. In session_init.php, create your session

class session{
       static function init() {
               // Configure garbage collection
            ini_set('session.gc_probability', 1);
            ini_set('session.gc_divisor', 1000);
            ini_set('session.gc_maxlifetime', 43200);   

            // Start the session!
            session_name('mysession');
            if(input::get('session_id'))
                session_id(input::get('session_id'));
            if(input::post('session_id'))
                session_id(input::post('session_id'));      
            session_start();

            // Put session_id in the session variable
            $_SESSION['session_id'] = session_id(); 
        }

    static function destroy()
    {
        if (session_id() !== '')
        {
            // Get the session name
            $name = session_name();

            // Destroy the session
            session_destroy();

            // Re-initialize the array
            $_SESSION = array();

        }
    }   
}
session::init();

The session path will be automatically set to the root of the domain, which is important because that way you don't need to go and create session's for every page.

When people need to logout, you'd run the session::destroy();

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜