note 68508 added to function.session-destroy

Thread: note 68508 added to function.session-destroy

Search this list only Search all lists
note 68508 added to function.session-destroy
	2006-07-30 18:40:57
I had a frustrating problem with the 'sess_deleted' file left behind by session_destroy(). When a user logs off my site, my logoff.php script deletes the session cookie and destroys the session. However, any logged-off user who attempts to re-log in without first closing the browser, doesn't get a new session ID. Instead, these users all end up sharing the 'sess_deleted' session because their session cookie still exists with the value 'deleted'. Needless to say, this causes all sorts of conflicts, user account collisions, etc. between multiple users all sharing 'sess_deleted.' The solution is to regenerate the session ID if needed, after calling session_start(): session_start(); if (session_id() == 'deleted') // invalid session ID session_regenerate_id(true); ---- Server IP: 64.71.164.2 Probable Submitter: 66.159.220.134 ---- X-Spam-Status: No, hits=3.1 required=5.0 tests=DATE_MISSING,FROM_NO_LOWER autolearn=no version=2.64 ---- Manual Page -- http://www.php.net/manual/en/function.session-destroy.p hp Edit -- https://master .php.net/note/edit/68508 Del: integrated -- h ttps://master.php.net/note/delete/68508/integrated Del: useless -- http s://master.php.net/note/delete/68508/useless Del: bad code -- htt ps://master.php.net/note/delete/68508/bad+code Del: spam -- https:/ /master.php.net/note/delete/68508/spam Del: non-english -- https://master.php.net/note/delete/68508/non-english Del: in docs -- http s://master.php.net/note/delete/68508/in+docs Del: other reasons-- https://mast er.php.net/note/delete/68508 Reject -- https://mast er.php.net/note/reject/68508 Search -- https:// master.php.net/manage/user-notes.php -- PHP Notes Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub .php

note 68508 deleted from function.session-destroy by bjori
	2006-07-30 23:46:54
Note Submitter: Alex Matulich Reason: bad code ---- I had a frustrating problem with the 'sess_deleted' file left behind by session_destroy(). When a user logs off my site, my logoff.php script deletes the session cookie and destroys the session. However, any logged-off user who attempts to re-log in without first closing the browser, doesn't get a new session ID. Instead, these users all end up sharing the 'sess_deleted' session because their session cookie still exists with the value 'deleted'. Needless to say, this causes all sorts of conflicts, user account collisions, etc. between multiple users all sharing 'sess_deleted.' The solution is to regenerate the session ID if needed, after calling session_start(): session_start(); if (session_id() == 'deleted') // invalid session ID session_regenerate_id(true); -- PHP Notes Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub .php

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )