No estoy muy seguro de eso, pero asi es como crea la sesión mi funcion login:
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); $_SESSION['username'] = $username;
// XSS protection as we might print this value
$acc_type = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $acc_type); $_SESSION['acc_type'] = $acc_type;
$_SESSION['pwd_changed'] = $pwd_changed;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
// Login successful.
$last_ip = get_ip_address();
$mysqli->query("UPDATE members SET last_ip='{$last_ip}' WHERE id='{$user_id}'");
return true;
}
Asi es como empiezo las sesiones:
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops javascript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) { header("Location: /error?err=No se pudo iniciar una sesión segura (ini_set)"); }
// Gets current cookies params.
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
}
Y este es el logout.php
// Unset all session values
// get session parameters
// Delete the actual cookie.
$params["path"],
$params["domain"],
$params["secure"],
$params["httponly"]);
// Destroy session
Creo que el problema esta en la función sec_session_start() .... Pero no estoy seguro, si alguien pudiese confirmarmelo
Gracias!