PHP Session is not destroying after user logout
Question
I'm trying to create an authentication mechanism for my PHP Application and I'm having difficulty destroying the session. I've tried unsetting the authentication token which was previously set within the session array and destroying the session through
session_destroy ,
as well as resetting the session array completely before destroying the session. I'm calling the header function and going back to my index.php page at the end of the function calls. I've also tried
session_write_close
to handle closing the session. When I log the user out, I do a vardump of the session, and It shows no data present, however when I go back to the index.php page, I'm getting back the user authentication data. I also did a vardump of the Post data just to ensure I'm not somehow resubmitting the post authentication handler.
Any suggestions on what to do here?
6 answers
solution1
8 ACCPTED 2009-11-05 23:04:02
First, make sure you're calling session_start(); before calling session_destroy(); because it will only issue a warning if you don't.
Also, from PHP: session_destroy :
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
solution2
2 2009-11-06 00:21:01
Also worth noting about PHP sessions, session_unset() > session_destroy() ; I do not know why. After reading the PHP Manual entry on session_destroy() , it seems to only remove data within the current context, and not actually clear it from the flat session file, so if you didn't clear the cookie you could get it right back. This seems highly counter-intuitive (as PHP often is), and might be the reason why I decided (and then promptly forgot the reason) years ago to always use session_unset() over session_destroy() .
Also, make sure your redirect is occurring after you do all this session nonsense, as PHP acts in ways which not all developers expect. Best Practice, IMO, is to follow every header('Location: ...'); call with a die;
solution3
1 2010-02-03 10:42:04
如果你只使用session_unset()然后错误的IE仍然保留数据我的建议是使用两者。
solution4
0 2009-11-05 22:54:30
我会检查使用Fiddler将浏览器发送到服务器的内容,并检查您在session.save_path中存储了哪些信息
solution5
0 2009-11-05 22:55:09
Are you sure the page isn't cached?
Write over the authentication token:
session_start();
$_SESSION['varName'] = null;
$_SESSION = array();
session_destroy();
solution6
0 2009-11-05 23:00:52
however when I go back to the index.php page
Isn't the particular page just been requested from the browser cache? Do a hard refresh of the page ( CTRL+F5 in most webbrowsers).
If that turns out to be the cause and you want to disable request caching, add the following set of headers to HTML <head> your page:
<meta http-equiv="cache-control" content="no-cache,no-store,must-revalidate">
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="0">
or, in the PHP code using PHP's header() function:
header('cache-control: no-cache,no-store,must-revalidate'); // HTTP 1.1.
header('pragma: no-cache'); // HTTP 1.0.
header('expires: 0'); // Proxies.
Don't forget to clear the browser cache before testing :)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.