Page 1 of 1

delete field browser close [Anyone else HELP!]

Posted: Thu Dec 30, 2010 6:00 pm
by phphelpme
Hi, I am trying to delete an entry in a mysql table when the browser is closed. The website runs in the sidebar and if that person does not click logout, but just closes the browser window I need the database session id to be removed.

The session id is generated by me as a string that is save to a table in a database and referenced to on every page for security. When the user logs out the session id is deleted because they clicked something. If the user just closes the browser and the sidebar closes with it of course then that session id still remains.

I tried putting an expiry time on it and that worked fine but it annoyed the users having to login after a certain amount of time etc.

Does anyone know of a way to achieve this change/deletion on browser close using sidebar.

I have tried onunload and onbeforeunload etc but with no luck. Still aint doing it. the session id still remains which could be a security issue.

Best wishes,

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Thu Dec 30, 2010 6:34 pm
by social_experiment
What does your 'auth' page check for to ensure that a user is logged in?

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Thu Dec 30, 2010 6:39 pm
by phphelpme
It checks for a session id that has been generated by combining a couple of user account information. This is saved into the database along with their username and time they logged in. When they click logout, my script removes this session entry from the database and adds the logout time to the log.

The scripts work fine with no errors or issues at all. But my issue is when someone does not click logout the session id is not removed from the database which means if they were to bookmark the page then not logout but close the browser they would then be logged back in by clicking the bookmark.

They could share the bookmark not knowing that they are giving someone access to login without user credentials too.

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Thu Dec 30, 2010 6:55 pm
by social_experiment
phphelpme wrote:It checks for a session id that has been generated by combining a couple of user account information. This is saved into the database along with their username and time they logged in. When they click logout, my script removes this session entry from the database and adds the logout time to the log.
Are you using this self-generated session id just for the database or are you writing it to a session variable as well?
phphelpme wrote:But my issue is when someone does not click logout the session id is not removed from the database which means if they were to bookmark the page then not logout but close the browser they would then be logged back in by clicking the bookmark.
When the browser window is closed, session variables are destroyed. Yeah your self-generated value still remains in the database but if you have a line of code like this

Code: Select all

<?php if ( !isset($_SESSION['self_generated_id'])) || ($_SESSION['self_generated_id'] != $databaseValueForSGID) ) ?>
If the session variable isn't set, or it doesn't match the one in the database, the user is redirected to the login page. You bring up an interesting point with the bookmarking of a page though.

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Thu Dec 30, 2010 7:01 pm
by phphelpme
Its not an issue of checking that the session id matches because I already do that and compare to the database, but if my self generated session id still remains in the database then they can bookmark this and it still loads that page because the session id is recognised in the database.

In answer to your question do I use the session in a variable, the answer would be yes, that sgid is saved in the database and also assigned to $session that is then compared to the database.

I have enclosed a little code that I have been trying to attempt to run my logout script when the browser is closed.

Code: Select all


<script type="text/javascript">
window.onunload = browserclose()
{
location.href="scripts/logoff.php?sessionid=$sessionid";
}
</script>


</head>
<body onunload="browserclose()">

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Thu Dec 30, 2010 7:19 pm
by social_experiment
phphelpme wrote:but if my self generated session id still remains in the database then they can bookmark this and it still loads that page because the session id is recognised in the database.
Im going on the assumption that you have tested the bookmark option and found that it does indeed give a unauthorized user access to the page of a registered user.
phphelpme wrote:...still remains in the database then they can bookmark this...
Yes, the session id is in the database but your session variables ($_SESSION) is destroyed when the browser window is closed. Do this test in firefox : Log in to your secure area, look for a cookie called PHPSESSID and make a note of the value it contains. Now close the browser, without login off. Then open that bookmark again and look for the same cookie. It should be set, but the value of PHPSESSID is now changed, indicating a new session. Now there is no $_SESSION variables to check against, i.e !isset($_SESSION['variable']) so whoever wants to access that bookmarked page, needs to login.

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Thu Dec 30, 2010 7:27 pm
by phphelpme
Right, just to let you know that I use my own session and not phpsessions. I do not use cookies I use the database and run everything from there so that the system will still work if someone has their cookies turned off. :)

Yes, the session id is saved and referenced to in the database to prove that it is an official logged in user. My session id value is not destroyed when the browser is closed because I do not use phpsessions or cookies for the reason stated above. :)

That is why I wanted my logout.php script to run when they close the browser and that would erase the session id in the database.

Thanks for your help by the way.

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Thu Dec 30, 2010 7:34 pm
by social_experiment
phphelpme wrote:Right, just to let you know that I use my own session and not phpsessions.
You should have led with that in the opening post :)

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Thu Dec 30, 2010 7:36 pm
by phphelpme
yeah, sorry about that matey. forgot to mention that one mate. sorry for messing you around. thanks for all your help by the way. thats why I need something like the onunload function or something to load the logout.php script maybe.

I am not sure but trying alsorts of things and it is not removing the session stored in the database. :)

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Thu Dec 30, 2010 7:42 pm
by thecodewall
I have the same problem with my other application.
Usually we have no responsibility if the user did not logout, its in their own responsibility.
http://codewall.blogspot.com

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Fri Dec 31, 2010 1:47 am
by social_experiment
phphelpme wrote:yeah, sorry about that matey
No probs :) Is it a custom built application?
thecodewall wrote:Usually we have no responsibility if the user did not logout, its in their own responsibility.
That's a bit unreasonable IMO, no fault on your part but the user shouldn't suffer for something like that.

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Sat Jan 01, 2011 3:17 pm
by phphelpme
I agree social, and yes it is a custom built system that I built myself. I am just trying to find a way to run my logout script when the browser closes etc or the tab closes etc.

If any advice can be given or example coding then that would be great.

Re: delete field in table on browser close PLEASE HELP ME OU

Posted: Wed Jan 05, 2011 5:00 pm
by phphelpme
Can anyone else shed some light on this situation I am currently having. Any additional help would be great. Thanks social for your great input. :)