on 21/03/03 4:57 PM, Beauford.2002 ([EMAIL PROTECTED]) wrote: > I have read some posts to this list on sessions and have read as much as I > can find on them, but one problem still exists which I can't figure out. How > do I kill the session when the user leaves my site. So if a user is on > www.mine.com and logs in successfully, then goes to www.hers.com - the user > should have to log in again once coming back to www.mine.com, but at present > the user is still logged in - and all variables are still set.
How can PHP possibly tell when the user closes a window, or manually enters a new URL into the browser? It can't because PHP is only server side. Set the appropriate session max lifetime and garbage clean out probability, and sessions should die within a reasonable time of not being used (see php.ini for more info). Or, present the user with a logout link, to be sure the session is killed instantly. You can also do some *extra* insurance by creating a javascript pop-up triggered on a window close event which forces a log out, but this will only help in some cases, and more to the point, client-side scripting cannot be relied upon. If you want to kill sessions as people click on external links within your site, you can do so by creating a middle-man script between your page and the external site: Instead of <a href='http://newsite.com'>click</a> you would do this: <a href='out.php?url=<?=urlencode('http://newsite.com')?>'>click</a> out.php would be responsible for killing the session before doing a header() redirect to the target url. But, end of the day, all these are work-arounds. Offer a logout link on every page of your site. If the user chooses not to logout, then they are consciously making this decision -- they may want to come back shortly, or they may not care about the security implications -- either way, it's their call. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
