php session_destroy浏览器记住用户名和密码
我正在使用 php 身份验证方法进行摘要身份验证,如 php 手册。除了注销部分之外,一切都运行良好。
我正在使用 session_destroy() 尝试注销我的用户,它确实做到了。但是我的问题是,如果用户在关闭浏览器之前重新登录,则不会提示他们输入用户名和密码,并且会使用上次输入的用户名和密码自动登录。
浏览器似乎以某种方式记住了凭据。在 Firefox 中,如果我在尝试重新登录之前手动清除“清除浏览历史记录”中的“活动登录”,则会提示我输入用户名和密码,即使用户已使用 session_destroy()。
我还使用 php 手册中的示例 来清除 cookie,但是这似乎没有帮助,这似乎不是一个cookie问题。
这是我的 logout.php 代码
<?php
session_start();
$_SESSION = array();
//destroy cookie if it exists
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
//destroy session
session_destroy();
header("location:form.php");
exit();
?>
我缺少什么?感谢您的帮助!
I am using the php authentication method for digest authentication as shown on the php manual. All is working well except for the logout part.
I am using session_destroy() to try and log my users out, which it does. However my problem is if the user goes to log back in before closing the browser out they are not prompted for a username and password and they are automatically logged back in with the last username and password they entered.
It seems the credentials are somehow being remembered by the browser. In Firefox if I manually clear "active logins" in the "clear browsing history" before trying to log back in then I am prompted for the username and password even though the user has been logged out with session_destroy().
I am also using an example from the php manual to clear the cookie but that doesn't seem to help, it doesn't seem to be a cookie problem.
Here is my logout.php code
<?php
session_start();
$_SESSION = array();
//destroy cookie if it exists
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
//destroy session
session_destroy();
header("location:form.php");
exit();
?>
What am I missing? Thanks for any help!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
HTTP 身份验证的工作方式与会话身份验证略有不同。
清除 http Auth 会话的唯一方法是更改领域名称。
检查 http://www.php.net/manual/en/ features.http-auth.php#100396(评论#100396)这是我发现的地方。
顺便说一句:使用会话进行身份验证要容易得多,您有更多的可能性来存储用户信息等。因此,如果没有特定的原因使用 httpAuth,您可能会更好地使用会话。
HTTP Auth works slightly different then authentication with session.
The only possibility to clear a http Auth session is to change the realm name.
Check http://www.php.net/manual/en/features.http-auth.php#100396 (Comment #100396) it's where I found out.
BTW: It's a lot easier to use sessions for authentication, you have a lot more possibilities to store user information etc. so if there is no certain reason for httpAuth you might be better with using sessions.
会话销毁不会删除会话中存储的项目。
您可以手动取消它们:
session destroy won't delete the items stored in the session.
You can unset them manually :
你说当他们推回时,他们会再次登录。您确定当他们通过重新发送登录表单进行拒绝时实际上并没有再次登录吗?在登录功能的最后,尝试执行以下操作:
或调整为登录时需要访问的任何 URI。这将防止用户通过按后退按钮重新提交表单。
You say when they push back, they are logged in again. Are you sure they are not actually logging in again when they push back by resending the login form? In your login function, at the very end, try doing a:
Or adjust to whatever URI they need to go to when they log in. This will prevent the user from resubmitting the form by pushing the back button.