我的安全意思是用户不需要刷新页面以便销毁会话。简单地空转应重定向并销毁会话。这类似于this,我已经实现了代码。但是,它需要用户刷新页面或一些javascript / jquery为它们刷新它。但是,由于任何人可以更改其浏览器客户端上运行的javascript,因此不安全吗?这是我目前的代码:
<?php
require('config.php');
session_start();
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 10)) {
// last request was more than 30 minutes ago
unset($_SESSION);
session_destroy();
header('LOCATION: login.php');
session_write_close();
exit;
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
if (!isset($_SESSION['CREATED'])) {
$_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 10) {
// session started more than 30 minutes ago
session_regenerate_id(true); // change session ID for the current session and invalidate old session ID
$_SESSION['CREATED'] = time(); // update creation time
}
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {
//Do my stuff and show the data to be secured
} else {
echo "Forbidden";
exit;
}
?>