Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New Coder
    Join Date
    Feb 2006
    Posts
    33
    Thanks
    6
    Thanked 0 Times in 0 Posts

    PHP Sessions staying alive after browser closes?

    I have a PHP application which I've tested on my machine and everything seems to work fine with logging in and logging out. If I'm logged in, I close my browser, open a new browser and go to the site again and I'm logged out. This happens to me on every computer I use.

    I have some remote users that say that if they close their browser, open a new browser and they're still logged in. Does this make sense? Based on my testing, it doesnt make sense to me. Is there anything I can do to remedy this? To ensure the session is killed when the browser is closed?

  • #2
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    Most probably the users do not close all the browser windows - they close only the window where the system is opened. At least I think I would ask the users to make sure absolutely all browser windows have been closed.

    Also I would check that session.cookie_lifetime in php.ini is set to 0. E.g. it could be checked with ini_get(). Also just in case I think I would add to .htaccess
    Code:
    php_value session.cookie_lifetime 0

  • #3
    New Coder
    Join Date
    Feb 2006
    Posts
    33
    Thanks
    6
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by SKDevelopment View Post
    Most probably the users do not close all the browser windows - they close only the window where the system is opened. At least I think I would ask the users to make sure absolutely all browser windows have been closed.
    This is what I'm thinking but they swear that all the browser windows are closed when they open the site again. I can't tell them they're wrong

    I've checked what session.cookie_timeout is set to and its 0.

  • #4
    Regular Coder
    Join Date
    Mar 2006
    Posts
    238
    Thanks
    3
    Thanked 37 Times in 37 Posts
    I would also check session.use_trans_sid and session.use_only_cookies ... I mean could it be that trans_sid is used and session ID is transferred via URL's if session cookies are turned off in the user browser ?

    In this case they could possibly get to the same page with PHPSESSID present in the URL ...

    Session files are stored in files by default. These files are not deleted from the server usually at once when the session ends. They are deleted by a garbage collector. And the garbage collector is run with some probability when some user opens a page at your site which uses sessions. So with few visitors session data could be kept at the server for a long time...

    Still I think it is not the trans_sid case ...

    Could you ask the user to log out explicitly if this happens at their side ? And you would use session_destroy() (please see Example #1 at that page) to destroy the session explicitely when "Log Out" is clicked. At least it should destroy the session cookie for sure (if not the file where the session data is stored at the server - the file will be deleted by the garbage collector).

    Also it would be good to ask the users which browser they are using ... And it would be probably good to check the system in as many browsers as possible ...


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •