PHP在登录/退出时重新生成会话ID不起作用 [英] PHP Regenerating session ID on login / out not working
问题描述
我无法获取 PHP 的 session_regenerate_id() 在我正在开发的应用程序中工作.该应用程序使用(松散的)自制 MVC 框架,并通过 index.php 文件使用 .htaccess 重定向所有请求.
I'm having trouble getting PHP's session_regenerate_id() to work in an application I'm developing. The application uses a (loose) self-made MVC framework and redirects all requests using .htaccess through the index.php file.
我正在尝试在注销时重新生成会话 ID,但它无法正常工作.
I'm trying to regenerate the session ID on logout but it isn't working correctly.
这是我的注销控制器中的一些代码 - 过期变量用于检查会话超时:
Here is some code from my logout controller - the expired variable is a check for session timeout:
session_regenerate_id(true);
if(isset($_SESSION['expired']))
{
$this->registry->template->expired = true;
}
session_unset();
session_destroy();
同样相关的是 index.php 文件开头的代码:
Also relevant is the code from the beginning of the index.php file:
session_cache_expire(20);
session_start();
session_name("TMU");
//session_regenerate_id();
我在每个页面的底部回显 session_id() 的结果,以查看它包含的内容以测试它是否已重新生成.
I'm echoing out the result of session_id() at the bottom of each page to see what it contains to test if it has been regenerated.
但是,当您注销时,会话 ID 不会更改.当您再次登录(即使使用另一个帐户)时,会话 ID 是相同的.
The session ID doesn't change when you logout however. When you login again (even with another account) the session ID is the same.
您会注意到 index.php 文件中被注释掉的第四行 - 如果我取消注释该行,ID 似乎在每个页面上都按原样重新生成.但是,当我再次注释掉该行时,会话 ID 再次是我在索引文件中取消注释该行之前的原始 ID...
You'll notice the commented out fourth line of the index.php file - if I uncomment that line the ID appears to be regenerated on every page as it should. However, when I comment the line out again the session ID is once again the original ID from before I uncommented the line in the index file...
我只是想知道如何让 session_regenerate_id() 工作.似乎只是没有提交"更改后的 ID.我试过使用 session_commit() 但我不明白它是如何完全工作的,当我试图破坏会话时它给了我一个错误.
I'm just wondering how I can get session_regenerate_id() to work. It seems like it's just not 'committing' the changed id. I've tried using session_commit() but I don't understand how it works fully and it was giving me an error when I tried to destroy the session.
PHP 5.3.10 和 Apache 2.2.21
PHP 5.3.10 and apache 2.2.21
推荐答案
在多次重温这个话题后,我已经想通了.有两个问题.
After revisiting this topic several times, I have figured it out. There were two problems.
session_regenerate_id()必须在显示任何 HTML 输出和/或发送标头之前调用.(它需要作为第一个函数之一被调用,就像session_start()一样).- 订单很重要.
session_name("TMU")需要在session_start()之前调用以获得所需的结果 - 我之前没有发现.
session_regenerate_id()must be called before any HTML output is displayed and/or headers are sent. (It needs to be called as one of the first functions, just likesession_start()).- Order matters.
session_name("TMU")needs to be called BEFOREsession_start()to have the desired result - I didn't catch this before.
基本上发生在我身上的是在 session_start() 导致它设置两个会话 ID cookie 之后调用 session_name("TMU") - 两个会话 - 一个名为TMU 其他只是默认的 PHPSESSID.更改顺序解决了我所有的问题,现在重新生成 ID/销毁旧会话按预期工作.
Basically what was happening to me was calling session_name("TMU") after session_start() was causing it to set TWO session ID cookies - two sessions - one named TMU the other just the default PHPSESSID. Changing the order fixed all my problems and regenerating the ID / destroying the old session works as expected now.
对于在执行此操作时遇到问题的任何人,我建议您回显 $_SESSION 和 $_COOKIE 数组以查看您的特定应用程序中发生的情况.
For anyone having problems doing this I suggest you echo out the $_SESSION and $_COOKIE arrays to see what is happening in your particular application.
这篇关于PHP在登录/退出时重新生成会话ID不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
