开发者

Session clearing issue with PHP

I'm using a Facebook Connect application. Imagine it's a kind of application, where users come to my site, clicks connect button, logs in to Facebook and comes back to my site and wait for another user to connect.

I'm using the offline_access parameter when connecting. Once the user is back to my site, I need to clear all the session cookies. If the session wasn't cleared successfully, and the next user comes and connects, the user will not get the Login Page, instead it immediately redirects to my response URL, after taking my last session state.

I tried these methods together to clear the session:

    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
                  $params["path"], $params["domain"],
                  $params["secure"], $params["httponly"]);
    }
    if (isset($_SERVER['HTTP_COOKIE'])) {
        $cookies = explode(';', $_SERVER['HTTP_COOKIE'开发者_高级运维]);
        foreach($cookies as $cookie) {
            $parts = explode('=', $cookie);
            $name = trim($parts[0]);
            setcookie($name, '', time()-42000);
            setcookie($name, '', time()-42000, '/');
        }
    }

With the above methods, something is working, but not all sessions are cleared, especially the Facebook domain specific cookies. So, to delete Facebook cookies, I tried the following static methods as well to test how it works. But, even this fails.

    setcookie('L', '', time()-42000,"/",".facebook.com");
    setcookie('act', '', time()-42000,"/",".facebook.com");
    setcookie('c_user', '', time()-42000,"/",".facebook.com");
    setcookie('datr', '', time()-42000,"/",".facebook.com");
    setcookie('locale', '', time()-42000,"/",".facebook.com");
    setcookie('lu', '', time()-42000,"/",".facebook.com");
    setcookie('pk', '', time()-42000,"/",".facebook.com");
    setcookie('p', '', time()-42000,"/",".facebook.com");
    setcookie('presence', '', time()-42000,"/",".facebook.com");
    setcookie('s', '', time()-42000,"/",".facebook.com");
    setcookie('sct', '', time()-42000,"/",".facebook.com");
    setcookie('x-src', '', time()-42000,"/",".facebook.com");
    setcookie('xs', '', time()-42000,"/",".facebook.com");

And finally, I tried the normal methods,

    unset($_SESSION['fb_243155855719532_access_token']);
    unset($_SESSION['fb_243155855719532_code']);
    unset($_SESSION['fb_243155855719532_user_id']);
    unset($_SESSION['fb_243155855719532_state']);

    // Finally, destroy the session.
    session_unset();
    session_destroy();exit;

Destroying session works, but still Facebook sessions are not getting cleared. If I try to clear session cookies, with the Firefox Web Dev add-on, it works very smartly.


If the user has 'offline_access' it's currently IMPOSSIBLE to clear the session.

Calling the PHP SDK method getLoginUrl() looks as though it should work, it logs the user out of Facebook, but when returning to your own site, the session is still valid.

This is NOT how it should work at the bug has only been introduced with the latest PHP SDK v3.

I have registered a bug, please vote/add your repro to help get it fixed:

http://developers.facebook.com/bugs/250825644953332


Due to cross-domain restrictions you can't edit cookies from a different domain (ie Facebook cookies). You could call the javascript sdk FB.logout() function to properly log out. The PHP SDK has a getLogoutUrl method that you could call:

$facebook->getLogoutUrl( array(
    'next'  => 'http://example.com/logout.php')
);
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜