浏览器关闭时会话cookie会过期吗?
我有一个 PHP 应用程序,一旦用户通过身份验证,我就会设置 $_SESSION['user']="logged" 。我将此称为loginpage.php。
经过身份验证并设置会话变量后,用户将被带到一个成员页面,该页面以以下行开头:
<?php
session_set_cookie_params(0,'/');
session_start();
if($_SESSION['user'] != 'logged') {
header ("Location:loginpage.php");
}?>
当用户登录、关闭浏览器然后访问成员页面时,我希望他被重定向到 loginpage.php。
然而,这并没有发生。会话 cookie 仍然存在于浏览器中 - 我使用 Firefox 对此进行了测试。
有人可以向我解释一下我哪里错了吗?
I have a PHP application where I set $_SESSION['user']="logged" once a user is authenticated. I call this loginpage.php.
Once authenticated and the session variable set, the user is taken to a member page which starts with the lines:
<?php
session_set_cookie_params(0,'/');
session_start();
if($_SESSION['user'] != 'logged') {
header ("Location:loginpage.php");
}?>
When a user has logged in, closes the browser and then visits the members page, I expect him to be redirected to loginpage.php.
However, this does not happen. The session cookie is still there in the browser - I tested this using Firefox.
Could someone explain to me where I'm getting it wrong?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
上面的答案,包括已接受的答案,都是错误的。
由于某些设计,会话 Cookie 不会在浏览器关闭时过期著名浏览器开发人员做出的决定。
基本上,会话过期 cookie 会干扰当前浏览器的行为,即浏览器下载更新,然后要求重新启动。
此类更新后,用户会重新启动浏览器,并希望体验尽可能小的中断。
然而,保留原始会话 cookie 行为会在浏览器更新期间立即清除大量 cookie =>重新启动进程并会破坏用户体验。
因此,我们做出了设计决策,现在的默认行为是不清除会话cookie。想要返回原始行为的高级用户通常必须启用特定的向后兼容性选项或显式 cookie 清除选项。
The answers above, including the accepted one, are wrong.
Session cookies don't expire on the browser close because of some design decisions made by prominent browsers developers.
Basically, session expiring cookies interfered with the current browser behavior, where a browser downloads updates and then asks to be restarted.
The user after such updates restarts the browsers and wants to experience an as minimal disruption as possible.
Keeping the original session cookies behavior, however, would instantly clear a number of cookies during the browser update => restart process and would disrupt user experience.
Therefore design decisions were made so that now the default behavior is to not clear the session cookies. Advanced users who want to return to the original behavior usually have to enable specific backward compatibility options or explicit cookie clear options.
该cookie应该被删除,因为你将他的生命周期设置为0。
也许还有一个firefox进程在运行,看看任务管理器。
The cookie should be deleted, because you set his lifetime to 0.
Maybe there is still a firefox-process running, take a look into the taskmanager.
另外,您应该在 header('Location:') 之后终止您的脚本,否则它只会继续运行并将“安全”页面输出到客户端(或者如果您幸运的话 Web 服务器有望忽略它)并且消耗资源。
Also you should terminate your script after header('Location:'), otherwise it'll just continue running and output the "secure" page to the client (or if you are lucky to the web server that will hopefully ignore it) anyway and consuming resources.
看这里。
“过期时间戳是相对于服务器时间设置的,不一定与客户端浏览器中的时间相同。”
可能是……不知道。
Look here.
"The expiration timestamp is set relative to the server time, which is not necessarily the same as the time in the client's browser."
Could be that... dunno.