开发者

PHP - why can't I get rid of this session id cookie?

I'm trying to troubleshoot a logout function for a web app. When you're logged in, the app has several cookies set for its domain. Here's the current logout procedure:

  • You click a link, which sends you to a logout page
  • The logout page runs a function that calls session_destroy() and also loops through all the cookies for the domain and sets them to expire in the past (see code below)
  • The logout page then redirects to a login page, which is straight HTML.

At the end of this process, all the other cookies are unset, but the PHPSESSID cookie is still there, has the same value, and is still set to expire at the end of the session.

What am I missing here?

Here's the logout function I mentioned above:

function log_out_current_user() {

        // Destroy the session
        if (isset($_SESSION)) {
     开发者_运维技巧       session_destroy();
        }

        // Expire all of the user's cookies for this domain:
        // give them a blank value and set them to expire
        // in the past
        if (isset($_SERVER['HTTP_COOKIE'])) {
            $cookies = explode(';', $_SERVER['HTTP_COOKIE']);
            foreach($cookies as $cookie) {
                $parts = explode('=', $cookie);
                $name = trim($parts[0]);
                setcookie($name, '', time()-1000);
                setcookie($name, '', time()-1000, '/');
            }
            // Explicitly unset this cookie - shouldn't be redundant,
            // but it doesn't hurt to try
            setcookie('PHPSESSID', '', time()-1000);
        }

    }


You are not removing it with the same parameters as it was created. Use session_get_cookie_params to obtain those. To be portable you should get the name of the cookie via session_name. Here's a small script to do that:

$params = session_get_cookie_params();
setcookie(session_name(), '', 0, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜