Posted by Rik on 07/30/06 20:05

axlq wrote:
> Followup to my own post. I think I have solved the problem by
> forcing regeneration of the session ID if the session ID has the
> value 'deleted' -- like this:
>
> session_start();
> if (session_id() == 'deleted')
> session_regenerate_id(true);
>
> As far as my tests have shown, this prevents multiple browsers
> from sharing the 'sess_deleted' session file on the server, if
> those browsers have a deleted session cookie and are attempting to
> re-log-in to my site.
>
> This has nothing to do with being behind a NAT.

Hmmm, when I

file1.php
<?
session_name('check_name');
session_start();
$_SESSION['var1'] = 'something';
?>

file2.php

<?php
session_name('check_name');
session_start();
$_SESSION = array();
setcookie(session_name(),'',time()-3600,'/');
session_destroy();
?>

There doesn't appear a 'sess_deleted' file. the sess_{random_string} file
just disappears. This is also true with a custom save path. Even adding a
session_start() directly after it, or on a redirect, will create a totally
new unique sess_file.

Allthough you have a workaround now, could you maybe post you total logout
script (for I still think there's the error) and not just the excerpt?
Otherwise, it will haunt me for days :-)

Grtz,
--
Rik Wasmus

[Back to original message]