您好我正在为我的网站创建安全登录功能。我有一个名为sessionTimeOut()的函数,我在我网站的每个页面的顶部调用它。正如您在函数中看到的那样,如果用户已处于非活动状态超过30分钟,我会在将用户重定向回登录页面之前调用logOut()函数和secure_session_start()函数。我想知道这些函数会在重定向发生之前完全执行吗?我不确定调试代码的最佳方法。任何帮助将不胜感激。
function sessionTimeOut(){
//We implement a session timeout of our own. We use a simple time stamp that denotes the time of the last activity (i.e. request)
//and update it with every request
if(isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
//last request was more than 30 minutes ago
logOut();
//start a new secure session so that we can create a new session variable.
secure_session_start();
//create a session variable to say that the login session has timed out after redirecting to the login page.
$_SESSION['loginTimedOut'] = true;
header('Location: login.php');
exit();
}
$_SESSION['LAST_ACTIVITY'] = time(); //update last activity time stamp
//Now we also use an additional time stamp to regenerate the session ID periodically to avoid attacks on sessions
if(!isset($_SESSION['CREATED'])) {
$_SESSION['CREATED'] = time();
}else if(time() - $_SESSION['CREATED'] > 1800) {
//session started more than 30 minutes ago
session_regenerate_id(true); //change session ID for the current session and invalidate old session ID
$_SESSION['CREATED'] = time(); //update creation time
}
}
logout()函数:
function logOut(){
//Unset all session values
$_SESSION = array();
//get session parameters
$params = session_get_cookie_params();
// Delete the actual cookie.
setcookie(session_name(),
'', time() - 42000,
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]);
// Destroy session
session_destroy();
}
function secure_session_start() {
/* This is a function to start a PHP session in a secure way.
* This function stops crackers accessing the session id cookie through JavaScript (for example in an XSS attack).
* Also the session_regenerate_id() function, which regenerates the session id on every page reload, helps prevent session hijacking
*/
$session_name = 'secure_session_id'; // Set a custom session name
$secure = false; //set to true if https
//This stops JavaScript being able to access the session id.
$httponly = true;
//Forces sessions to only use cookies.
if(ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
//Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
//Sets the session name to the one set above.
session_name($session_name);
session_start(); //Start the PHP session
session_regenerate_id(true); //regenerate the session, delete the old one to prevent session fixation attacks.
}