...

View Full Version : PHP Sessions staying alive after browser closes?



0x001A4
09-14-2009, 04:13 PM
I have a PHP application which I've tested on my machine and everything seems to work fine with logging in and logging out. If I'm logged in, I close my browser, open a new browser and go to the site again and I'm logged out. This happens to me on every computer I use.

I have some remote users that say that if they close their browser, open a new browser and they're still logged in. Does this make sense? Based on my testing, it doesnt make sense to me. Is there anything I can do to remedy this? To ensure the session is killed when the browser is closed?

SKDevelopment
09-14-2009, 04:27 PM
Most probably the users do not close all the browser windows - they close only the window where the system is opened. At least I think I would ask the users to make sure absolutely all browser windows have been closed.

Also I would check that session.cookie_lifetime in php.ini is set to 0. E.g. it could be checked with ini_get() (http://php.net/ini_get). Also just in case I think I would add to .htaccess


php_value session.cookie_lifetime 0

0x001A4
09-14-2009, 04:59 PM
Most probably the users do not close all the browser windows - they close only the window where the system is opened. At least I think I would ask the users to make sure absolutely all browser windows have been closed.


This is what I'm thinking but they swear that all the browser windows are closed when they open the site again. I can't tell them they're wrong ;)

I've checked what session.cookie_timeout is set to and its 0.

SKDevelopment
09-14-2009, 05:37 PM
I would also check session.use_trans_sid and session.use_only_cookies ... I mean could it be that trans_sid is used and session ID is transferred via URL's if session cookies are turned off in the user browser ?

In this case they could possibly get to the same page with PHPSESSID present in the URL ...

Session files are stored in files by default. These files are not deleted from the server usually at once when the session ends. They are deleted by a garbage collector. And the garbage collector is run with some probability when some user opens a page at your site which uses sessions. So with few visitors session data could be kept at the server for a long time...

Still I think it is not the trans_sid case ...

Could you ask the user to log out explicitly if this happens at their side ? And you would use session_destroy() (http://php.net/session_destroy) (please see Example #1 at that page) to destroy the session explicitely when "Log Out" is clicked. At least it should destroy the session cookie for sure (if not the file where the session data is stored at the server - the file will be deleted by the garbage collector).

Also it would be good to ask the users which browser they are using ... And it would be probably good to check the system in as many browsers as possible ...



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum