delete field browser close [Anyone else HELP!]
Moderator: General Moderators
delete field browser close [Anyone else HELP!]
Hi, I am trying to delete an entry in a mysql table when the browser is closed. The website runs in the sidebar and if that person does not click logout, but just closes the browser window I need the database session id to be removed.
The session id is generated by me as a string that is save to a table in a database and referenced to on every page for security. When the user logs out the session id is deleted because they clicked something. If the user just closes the browser and the sidebar closes with it of course then that session id still remains.
I tried putting an expiry time on it and that worked fine but it annoyed the users having to login after a certain amount of time etc.
Does anyone know of a way to achieve this change/deletion on browser close using sidebar.
I have tried onunload and onbeforeunload etc but with no luck. Still aint doing it. the session id still remains which could be a security issue.
Best wishes,
The session id is generated by me as a string that is save to a table in a database and referenced to on every page for security. When the user logs out the session id is deleted because they clicked something. If the user just closes the browser and the sidebar closes with it of course then that session id still remains.
I tried putting an expiry time on it and that worked fine but it annoyed the users having to login after a certain amount of time etc.
Does anyone know of a way to achieve this change/deletion on browser close using sidebar.
I have tried onunload and onbeforeunload etc but with no luck. Still aint doing it. the session id still remains which could be a security issue.
Best wishes,
Last edited by phphelpme on Wed Jan 05, 2011 5:07 pm, edited 1 time in total.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: delete field in table on browser close PLEASE HELP ME OU
What does your 'auth' page check for to ensure that a user is logged in?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: delete field in table on browser close PLEASE HELP ME OU
It checks for a session id that has been generated by combining a couple of user account information. This is saved into the database along with their username and time they logged in. When they click logout, my script removes this session entry from the database and adds the logout time to the log.
The scripts work fine with no errors or issues at all. But my issue is when someone does not click logout the session id is not removed from the database which means if they were to bookmark the page then not logout but close the browser they would then be logged back in by clicking the bookmark.
They could share the bookmark not knowing that they are giving someone access to login without user credentials too.
The scripts work fine with no errors or issues at all. But my issue is when someone does not click logout the session id is not removed from the database which means if they were to bookmark the page then not logout but close the browser they would then be logged back in by clicking the bookmark.
They could share the bookmark not knowing that they are giving someone access to login without user credentials too.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: delete field in table on browser close PLEASE HELP ME OU
Are you using this self-generated session id just for the database or are you writing it to a session variable as well?phphelpme wrote:It checks for a session id that has been generated by combining a couple of user account information. This is saved into the database along with their username and time they logged in. When they click logout, my script removes this session entry from the database and adds the logout time to the log.
When the browser window is closed, session variables are destroyed. Yeah your self-generated value still remains in the database but if you have a line of code like thisphphelpme wrote:But my issue is when someone does not click logout the session id is not removed from the database which means if they were to bookmark the page then not logout but close the browser they would then be logged back in by clicking the bookmark.
Code: Select all
<?php if ( !isset($_SESSION['self_generated_id'])) || ($_SESSION['self_generated_id'] != $databaseValueForSGID) ) ?>“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: delete field in table on browser close PLEASE HELP ME OU
Its not an issue of checking that the session id matches because I already do that and compare to the database, but if my self generated session id still remains in the database then they can bookmark this and it still loads that page because the session id is recognised in the database.
In answer to your question do I use the session in a variable, the answer would be yes, that sgid is saved in the database and also assigned to $session that is then compared to the database.
I have enclosed a little code that I have been trying to attempt to run my logout script when the browser is closed.
In answer to your question do I use the session in a variable, the answer would be yes, that sgid is saved in the database and also assigned to $session that is then compared to the database.
I have enclosed a little code that I have been trying to attempt to run my logout script when the browser is closed.
Code: Select all
<script type="text/javascript">
window.onunload = browserclose()
{
location.href="scripts/logoff.php?sessionid=$sessionid";
}
</script>
</head>
<body onunload="browserclose()">
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: delete field in table on browser close PLEASE HELP ME OU
Im going on the assumption that you have tested the bookmark option and found that it does indeed give a unauthorized user access to the page of a registered user.phphelpme wrote:but if my self generated session id still remains in the database then they can bookmark this and it still loads that page because the session id is recognised in the database.
Yes, the session id is in the database but your session variables ($_SESSION) is destroyed when the browser window is closed. Do this test in firefox : Log in to your secure area, look for a cookie called PHPSESSID and make a note of the value it contains. Now close the browser, without login off. Then open that bookmark again and look for the same cookie. It should be set, but the value of PHPSESSID is now changed, indicating a new session. Now there is no $_SESSION variables to check against, i.e !isset($_SESSION['variable']) so whoever wants to access that bookmarked page, needs to login.phphelpme wrote:...still remains in the database then they can bookmark this...
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: delete field in table on browser close PLEASE HELP ME OU
Right, just to let you know that I use my own session and not phpsessions. I do not use cookies I use the database and run everything from there so that the system will still work if someone has their cookies turned off. 
Yes, the session id is saved and referenced to in the database to prove that it is an official logged in user. My session id value is not destroyed when the browser is closed because I do not use phpsessions or cookies for the reason stated above.
That is why I wanted my logout.php script to run when they close the browser and that would erase the session id in the database.
Thanks for your help by the way.
Yes, the session id is saved and referenced to in the database to prove that it is an official logged in user. My session id value is not destroyed when the browser is closed because I do not use phpsessions or cookies for the reason stated above.
That is why I wanted my logout.php script to run when they close the browser and that would erase the session id in the database.
Thanks for your help by the way.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: delete field in table on browser close PLEASE HELP ME OU
You should have led with that in the opening postphphelpme wrote:Right, just to let you know that I use my own session and not phpsessions.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: delete field in table on browser close PLEASE HELP ME OU
yeah, sorry about that matey. forgot to mention that one mate. sorry for messing you around. thanks for all your help by the way. thats why I need something like the onunload function or something to load the logout.php script maybe.
I am not sure but trying alsorts of things and it is not removing the session stored in the database.
I am not sure but trying alsorts of things and it is not removing the session stored in the database.
-
thecodewall
- Forum Commoner
- Posts: 33
- Joined: Sun Dec 26, 2010 8:37 am
Re: delete field in table on browser close PLEASE HELP ME OU
I have the same problem with my other application.
Usually we have no responsibility if the user did not logout, its in their own responsibility.
http://codewall.blogspot.com
Usually we have no responsibility if the user did not logout, its in their own responsibility.
http://codewall.blogspot.com
Last edited by thecodewall on Thu Jan 06, 2011 12:42 am, edited 2 times in total.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: delete field in table on browser close PLEASE HELP ME OU
No probsphphelpme wrote:yeah, sorry about that matey
That's a bit unreasonable IMO, no fault on your part but the user shouldn't suffer for something like that.thecodewall wrote:Usually we have no responsibility if the user did not logout, its in their own responsibility.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: delete field in table on browser close PLEASE HELP ME OU
I agree social, and yes it is a custom built system that I built myself. I am just trying to find a way to run my logout script when the browser closes etc or the tab closes etc.
If any advice can be given or example coding then that would be great.
If any advice can be given or example coding then that would be great.
Re: delete field in table on browser close PLEASE HELP ME OU
Can anyone else shed some light on this situation I am currently having. Any additional help would be great. Thanks social for your great input. 