Re: [PHP] close session when browser is closed
Your application/session will never get any information whether the user closes his browser or a tab! Even the lifetime of the session cookie is depending on which browser the user is on and if any other window is open. So the only solution would be polling some "watchdog.php" using a XMLHttpRequest and unsetting the $_SESSION['username'] at the next contact if a predefinded timeout is exceeded . Alain Roger wrote: > > So i would like to have it well done as following : > > 1. if user close the browser : session is destroyed and user is redirected > to main HTTPS page (the login one) > 2. if user close the TAB in which the web application worked, the session > data (so cookies if i understood well) should be destroyed to avoid any > possibile hacking. > > How should i do that ? > for point 1, i was thinking to check is the $_SESSION['username'] data is > set. this variable is set only after authentication of user. > but for point 2 i have no idea. > > thanks, > > Alain > > On 3/24/07, Richard Lynch <[EMAIL PROTECTED]> wrote: >> >> If you set the session timeout to 0, then it dies when the browser is >> quit. >> >> On Wed, March 21, 2007 12:37 pm, Alain Roger wrote: >> > Hi, >> > >> > I would like to know what is the best solution for my problem. >> > >> > When a user is connected to a https page and a session is open, if >> > user >> > close his browser, the session ID is still active in the browser >> > "history". >> > It means that next time when user will start his browser, the browser >> > will >> > re-use the same session ID and will work with php pages without any >> > problem. >> > >> > I was thinking to use cookie to solve this issue, but what should i do >> > when >> > user browser refuse cookies ? >> > >> > thanks a lot, >> > >> > -- >> > Alain >> > >> > Windows XP SP2 >> > PostgreSQL 8.1.4 >> > Apache 2.0.58 >> > PHP 5 >> > >> >> >> -- >> Some people have a "gift" link here. >> Know what I want? >> I want you to buy a CD from some indie artist. >> http://cdbaby.com/browse/from/lynch >> Yeah, I get a buck. So? >> >> > > > -- > Alain > > Windows XP SP2 > PostgreSQL 8.1.4 > Apache 2.0.58 > PHP 5 > > -- View this message in context: http://www.nabble.com/close-session-when-browser-is-closed-tf3443138.html#a9648288 Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] close session when browser is closed
So i would like to have it well done as following : 1. if user close the browser : session is destroyed and user is redirected to main HTTPS page (the login one) 2. if user close the TAB in which the web application worked, the session data (so cookies if i understood well) should be destroyed to avoid any possibile hacking. How should i do that ? for point 1, i was thinking to check is the $_SESSION['username'] data is set. this variable is set only after authentication of user. but for point 2 i have no idea. thanks, Alain On 3/24/07, Richard Lynch <[EMAIL PROTECTED]> wrote: If you set the session timeout to 0, then it dies when the browser is quit. On Wed, March 21, 2007 12:37 pm, Alain Roger wrote: > Hi, > > I would like to know what is the best solution for my problem. > > When a user is connected to a https page and a session is open, if > user > close his browser, the session ID is still active in the browser > "history". > It means that next time when user will start his browser, the browser > will > re-use the same session ID and will work with php pages without any > problem. > > I was thinking to use cookie to solve this issue, but what should i do > when > user browser refuse cookies ? > > thanks a lot, > > -- > Alain > > Windows XP SP2 > PostgreSQL 8.1.4 > Apache 2.0.58 > PHP 5 > -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
Re: [PHP] close session when browser is closed
If you set the session timeout to 0, then it dies when the browser is quit. On Wed, March 21, 2007 12:37 pm, Alain Roger wrote: > Hi, > > I would like to know what is the best solution for my problem. > > When a user is connected to a https page and a session is open, if > user > close his browser, the session ID is still active in the browser > "history". > It means that next time when user will start his browser, the browser > will > re-use the same session ID and will work with php pages without any > problem. > > I was thinking to use cookie to solve this issue, but what should i do > when > user browser refuse cookies ? > > thanks a lot, > > -- > Alain > > Windows XP SP2 > PostgreSQL 8.1.4 > Apache 2.0.58 > PHP 5 > -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] close session when browser is closed
On Mar 22, 2007, at 11:52 PM, Travis Doherty wrote: Juergen Wind wrote: Travis Doherty wrote: By default the session cookie expires when the browseris closed. this is not always true: f.e. FF requires *all* open windows to be closed to forget that session. Personally I think this does make sense. I fully expect the browser to maintain cookies "Until it is closed" -- If I have closed one tab that had set a cookie, re-opening that URL in a new window/tab should still cause the browser to send in my cookie. Ouch! That doesn't make sense to me. I closed the tab/window, I expect that session to be done... period, without having to close down the whole application and restart it and open up all the other windows that I was working in. There are some things about FF that just really raise my hackles... Oh well, that's good info to have anyway, and yet another reason *not* to use FF to check my bank balance. Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] close session when browser is closed
Juergen Wind wrote: >Travis Doherty wrote: > > >>By default the session cookie expires when the browseris closed. >> >> >this is not always true: f.e. FF requires *all* open windows to be closed to >forget that session. > > Personally I think this does make sense. I fully expect the browser to maintain cookies "Until it is closed" -- If I have closed one tab that had set a cookie, re-opening that URL in a new window/tab should still cause the browser to send in my cookie. > > >>If the browser refuses the cookie, sessions won't work anyway. >> >> >again: this is not always true. Only if "session.use_only_cookies = 1" >otherwise the session id can alternatively propagate using the query string >or hidden input fields. >(if "session.use_trans_sid = 1") > > That is correct - as I mentioned "(unless its in the URL...)" ... It's kind of weird to pass sessions through URLs though, I prefer clean, simple URLs such as www.example.com/resource/topic.html, instead of something like www.example.com/?x=resource&y=1113&this=44&PHPSESSID=123124124124124&bookmarkable=not_really Travis -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] close session when browser is closed
Also, on a daily basis last week after a windows update glitch... I had to kill rogue IE processes after it was closed, which I found kept some of my users logged in, which was fun... > > Travis Doherty wrote: > > By default the session cookie expires when the browseris closed. > this is not always true: f.e. FF requires *all* open windows > to be closed to > forget that session. > > >If the browser refuses the cookie, sessions won't work anyway. > again: this is not always true. Only if > "session.use_only_cookies = 1" > otherwise the session id can alternatively propagate using > the query string > or hidden input fields. > (if "session.use_trans_sid = 1") > > just my 2 cent > > -- > View this message in context: > http://www.nabble.com/close-session-when-browser-is-closed-tf3 > 443138.html#a9627180 > Sent from the PHP - General mailing list archive at Nabble.com. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.446 / Virus Database: 268.18.17/730 - Release > Date: 3/22/2007 7:44 AM > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 268.18.17/730 - Release Date: 3/22/2007 7:44 AM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] close session when browser is closed
Travis Doherty wrote: > By default the session cookie expires when the browseris closed. this is not always true: f.e. FF requires *all* open windows to be closed to forget that session. >If the browser refuses the cookie, sessions won't work anyway. again: this is not always true. Only if "session.use_only_cookies = 1" otherwise the session id can alternatively propagate using the query string or hidden input fields. (if "session.use_trans_sid = 1") just my 2 cent -- View this message in context: http://www.nabble.com/close-session-when-browser-is-closed-tf3443138.html#a9627180 Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] close session when browser is closed
Alain Roger wrote: > Hi Brad, > > yes this is one possibility, but since i use https, i should not be > afraid > by storing data in $_SESSION variables. Just a note that while SSL may help to protect the session id from being packet sniffed you should still be concerned about storing sensitive data in _SESSION. Anyone local to the system can probably read plaintext session data from the session cache. HTTPS only protects communications between the client and the server at best, do be afraid! Travis Doherty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] close session when browser is closed
Alain Roger wrote: > Hi, > > I would like to know what is the best solution for my problem. > > When a user is connected to a https page and a session is open, if user > close his browser, the session ID is still active in the browser > "history". > It means that next time when user will start his browser, the browser > will > re-use the same session ID and will work with php pages without any > problem. > > I was thinking to use cookie to solve this issue, but what should i do > when > user browser refuse cookies ? > > thanks a lot, > This seems odd. By default the session cookie expires when the browser is closed. You can change this by changing ini setting session.cookie_lifetime to something other than default value of zero, in number of seconds. I don't believe using HTTPS changes any of this, I have more than one app that use HTTPS for session cookies and have no problems with it persisting after the browser is closed (well, some browsers can do weird things sometimes... you never really know.) If the browser refuses the cookie, sessions won't work anyway. The session key is sent to the browser as a cookie (unless its in the URL...) www.php.net/session/ Take a look at cookie_lifetime and you might like the cache_expire docs on the same page too. Travis Doherty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] close session when browser is closed
Hi Brad, yes this is one possibility, but since i use https, i should not be afraid by storing data in $_SESSION variables. So i see that solution as a heavy one. Is there another possibility ? thanks, Al. On 3/21/07, Brad Bonkoski <[EMAIL PROTECTED]> wrote: Alain Roger wrote: > Hi, > > I would like to know what is the best solution for my problem. > > When a user is connected to a https page and a session is open, if user > close his browser, the session ID is still active in the browser > "history". > It means that next time when user will start his browser, the browser > will > re-use the same session ID and will work with php pages without any > problem. > > I was thinking to use cookie to solve this issue, but what should i do > when > user browser refuse cookies ? > > thanks a lot, > Why not store the session data in a database and set an expiration for that session, so even if the session data is preserved it would be expired, and thus force the user to re-authenticate or reload their session variables. -B -- Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
Re: [PHP] close session when browser is closed
Alain Roger wrote: Hi, I would like to know what is the best solution for my problem. When a user is connected to a https page and a session is open, if user close his browser, the session ID is still active in the browser "history". It means that next time when user will start his browser, the browser will re-use the same session ID and will work with php pages without any problem. I was thinking to use cookie to solve this issue, but what should i do when user browser refuse cookies ? thanks a lot, Why not store the session data in a database and set an expiration for that session, so even if the session data is preserved it would be expired, and thus force the user to re-authenticate or reload their session variables. -B -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] close session when browser is closed
Hi, I would like to know what is the best solution for my problem. When a user is connected to a https page and a session is open, if user close his browser, the session ID is still active in the browser "history". It means that next time when user will start his browser, the browser will re-use the same session ID and will work with php pages without any problem. I was thinking to use cookie to solve this issue, but what should i do when user browser refuse cookies ? thanks a lot, -- Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5