Thread: [Phplib-users] killing sessions when closing browser
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
phplib-users
|
From: Daniel B. <bo...@io...> - 2003-07-14 18:48:54
|
After I upgraded to phplib 7.4-pre2, and can't seem to get sessions to = be destroyed when a browser is closed and then reopened. Before the = user would have to log in again, now they are still logged in. How do I force the login when the browser is closed and then re-opened. = I have Session set to: $allowcache =3D no $lifetime =3D 0 (for session cookies) thanks - daniel |
|
From: Layne W. <la...@dr...> - 2003-07-15 17:36:46
|
> After I upgraded to phplib 7.4-pre2, and can't seem to get sessions to > be destroyed when a browser is closed and then reopened. Before the > user would have to log in again, now they are still logged in. Sessions have never worked that way. You were mistaken concerning the previous behavior. The only way to tie sessions to a particular browser window is to use GET instead of a session cookie (I do not recommend this). If you actually quit the browser and launch it again you will have destroyed the session cookie and will be forced to login again. There are two ways in which it could appear that closing and opening a new browser window destroys the session cookie. First, Windows IE can run as multiple processes. If you login to a page, close the window and open a window in a new process, you have a new browser memory with new session cookies - you will have to login. Second, if you allow your auth to expire by inactivity, close the browser window and open another window, you will be forced to login again. Both may initially appear to tie sessions to windows, but they do not. They both work the same in 7.4-pre2 as in previous versions of PHPLib. > How do I force the login when the browser is closed and then re-opened. Use GET (I do not recommend this). I suggest you forget about it. As long as you have auth set to expire at a reasonable time, and encourage your users to logout instead of closing the browser window, you should be just fine. Layne Weathers P.S. It occurs to me that you could spawn a pop-under window with javascript that periodically checks to see that the main window is still open. If the main window is not open, the pop-under could load the logout page. There is nothing to prevent the user from closing the pop-under before closing the main window. This kind of "solution" does not work for all users and, IMHO, is rarely worth the effort. |
|
From: Robert H. <rm...@le...> - 2003-07-15 17:49:12
|
What not spawn a popup window using the onclose event to request a logout or even just do the logout? -----Original Message----- From: php...@li... [mailto:php...@li...]On Behalf Of Layne Weathers Sent: Tuesday, July 15, 2003 9:42 AM To: Daniel Bondurant Cc: Php...@li... Subject: Re: [Phplib-users] killing sessions when closing browser > After I upgraded to phplib 7.4-pre2, and can't seem to get sessions to > be destroyed when a browser is closed and then reopened. Before the > user would have to log in again, now they are still logged in. Sessions have never worked that way. You were mistaken concerning the previous behavior. The only way to tie sessions to a particular browser window is to use GET instead of a session cookie (I do not recommend this). If you actually quit the browser and launch it again you will have destroyed the session cookie and will be forced to login again. There are two ways in which it could appear that closing and opening a new browser window destroys the session cookie. First, Windows IE can run as multiple processes. If you login to a page, close the window and open a window in a new process, you have a new browser memory with new session cookies - you will have to login. Second, if you allow your auth to expire by inactivity, close the browser window and open another window, you will be forced to login again. Both may initially appear to tie sessions to windows, but they do not. They both work the same in 7.4-pre2 as in previous versions of PHPLib. > How do I force the login when the browser is closed and then re-opened. Use GET (I do not recommend this). I suggest you forget about it. As long as you have auth set to expire at a reasonable time, and encourage your users to logout instead of closing the browser window, you should be just fine. Layne Weathers P.S. It occurs to me that you could spawn a pop-under window with javascript that periodically checks to see that the main window is still open. If the main window is not open, the pop-under could load the logout page. There is nothing to prevent the user from closing the pop-under before closing the main window. This kind of "solution" does not work for all users and, IMHO, is rarely worth the effort. ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ Phplib-users mailing list Php...@li... https://lists.sourceforge.net/lists/listinfo/phplib-users |
|
From: Nathaniel P. <np...@te...> - 2003-07-15 18:58:45
|
----- Original Message ----- From: "Daniel Bondurant" <bo...@io...> To: <Php...@li...> Sent: Monday, July 14, 2003 11:45 AM Subject: [Phplib-users] killing sessions when closing browser > After I upgraded to phplib 7.4-pre2, and can't seem to get sessions to be destroyed when a browser is closed and then reopened. Before the user would have to log in again, now they are still logged in. > > How do I force the login when the browser is closed and then re-opened. > > I have Session set to: > $allowcache = no > $lifetime = 0 (for session cookies) Well, you can't really force an explicit logout when the browser is closed (unless you resort to some somewhat unreliable Javascript trickery, as someone else already mentioned). However, using session cookies (as opposed to persistent cookies) for the PHPlib session ID should, in effect, cause a 'logout' of sorts (in reality what happens is that the old, authenticated session is abandoned, and a new one is created when the browser opens). Your settings appear to be correct for the desired behavior, although you might want to make sure that $mode is set to 'cookie' as well. You might also want to take a look at the cookie that PHPlib sets to make sure that it is a 'session' cookie instead of a persistent cookie. If it's setting a persistant cookie, take a look through your subclass(es) of Session and make sure that the instance variables are being set correctly (i.e. if you set these settings in session.inc's Session, but use a different setting in the subclass of Session in local.inc, the local.inc subclass would override the settings in the session.inc class). Use the subclass in local.inc to set these settings whenever possible. If that's not the problem, make sure there aren't any problems in your 'auth' scheme. Pay special attention to your auth_validatelogin()/auth_doregister() and auth_preauth() methods in your Auth subclass to make sure that there isn't something there that is logging in your users some other way, which doesn't rely on PHPlib's sessions. Also, you'll want to make sure that if your app is using 'get' as the default mode, or for some reason $fallback_mode is being used instead of $mode, that the browser isn't automatically appending the session id to the URL after the browser is closed. Normally, this shouldn't happen, however it is possible that bookmarks/favorites with the session id in the url or a 'start browser on the last page I visited' setting could cause an old session to be used. Unfortunately there's not much you can do about this kind of problem (since you can't control whether a client bookmarks a page or uses different settings), although to help alleviate it, you'll want to set $gc_time to a relatively low value. This will garbage-collect old sessions automatically, and make it so that an old session cannot be ressurected if it is older than $gc_time minutes old. (at least that's the way I understand it). If you're using 'cookie' mode (and it is working as it should) this paragraph shouldn't apply to you. Check the docs here: http://www.sanisoft.com/phplib/manual/session.php Although it is not set up in the default install of PHPlib, if you have a customized auto_init file for Session, you might want to look through that to make sure that it doesn't reset the cookies or anything. As I said, if you haven't mucked around with it, it shouldn't be a problem. For more info see: http://www.sanisoft.com/phplib/manual/using_autoinit.php Also, poorly behaved web-proxies might cause the behavior you described. If you use a web proxy, try disabling it (if you can) or talk to your system administrator. Hope this helps... _________________________________ Nathaniel Price <np...@te...> Webmaster |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X