I am writing a social networking site, and I am trying to figure out PHP sessions. At the top of the login page, I call session_destroy(), and I call session_start() at the page where new users are officially registered as use开发者_JAVA百科rs and at the user homepage. When a user logs out, they are linked to the home page that has session_destroy, but then I can log back in as whatever user just logged out, no matter what username or password I enter. This is my first time working with sessions, so I'm wondering where I'm supposed to put session_destroy so it actually destroys the session when I logout.
Use session_destroy
to destroy the session data and session_unset
to clear the $_SESSION
variable respectively.
Furthermore, call session_regenerate_id(true)
after an authentication attempt to change the current session’s ID and destroy the session data that is still associated to the old session ID.
The best way is by following the manual. Here is sample code that erases any session variables, the session cookie and then the session file itself:
<?php
// Unset all of the session variables.
$_SESSION = array();
// Delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if( ini_get( "session.use_cookies" ) ) {
$params = session_get_cookie_params();
setcookie(
session_name()
, ''
, time() - 42000
, $params[ "path" ]
, $params[ "domain" ]
, $params[ "secure" ]
, $params[ "httponly" ]
);
}
// Finally, destroy the session.
if( session_status() === PHP_SESSION_ACTIVE ) { session_destroy(); }
精彩评论