Sessions on a MAC

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Sessions on a MAC

Post by JayBird »

Hi have nearly completed building an intranet site and everything was working okay until i tested on a Mac!

I have a login system, the script that has been used can be found here http://www.phpsecurepages.com/

On the PC, when the user closes the broswer window and goes back to the site, they are asked to login again, but on a Mac, the user is still logged in.

Why would this happen? I don't know which part of the code in the script i mentioned to post for you to check out.

So some ideas of what the problem is might help me determine where the problem is arising from.

Cheerz

Mark
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Seems like your mac browser doesn't recognize cookie as 'session cookie' and does not delete it when window is closed... just my 2 cents... MACs are like an aliens to me....
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

yeah, when i view the cookies on the mac, the cookie is still there. ANyway around this without a "Logout" button?

Mark
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Do you use IE/Mac? If so, there are should be an option to enable cookie confirmation... then you can see if cookie is set right, i.e. if it is session cookie or not...
I suppose it's IE/Mac bug. Just found this links:
http://www.faqts.com/knowledge_base/vie ... 1457/fid/4
http://66.102.11.104/search?q=cache:VIK ... n&ie=UTF-8
check this also:
Enabling per-session cookies:
Internet Explorer (v5.0 and up):
From your browser's tool bar, click on "Tools" and select Internet Options.
Select the Security tab and click on the button "Custom Level".
Scroll down until you see "cookies" and click on "next" to "enable per-session cookies".
Click on "OK".
Click on "Apply".
Now close and reopen your browser for the new setting to be saved.
....you are not alone ;)
I googled it alot, but not found the answer yet.
I see two ways:
1. set session.cookie_lifetime in php.ini to some meaningful non-zero value (It will make sess_id cookies permanent, so they will expire properly).
2. write js window.onclose event handler which will clear the sess_id.
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

Thanks for the info mate.

Yes, it is IE on the MAC.

The session.cookie_lifetime is already set to 0 in the php.ini.

I can't expect people to change there IE settings.

window.onClose isn't in the Javascript specification and is only implemented by Some versions of Netscape.

So...

Solution i have come up with uses onUnload.

The problem with onUnload is that the functions is executed when the user navigates from page to WITHIN the site...which is obviously no good.

To get around this...

Load the site using frames, one which is like 1 pixel in height and the other fills the rest of the screen. In the 1 pixel frame, load a html/php file that has onUnload in the body tag. When the user closes the broser window, the a pop-up window appears executing a "hard" log-out.

When the user is navigating the site as normal, the html/php file in the 1 pixel frame never changes, therefor not calling the onUnload event.

Cant think of a better solution!?!

Mark
mlitton
Forum Newbie
Posts: 11
Joined: Sun Sep 21, 2003 4:52 pm
Location: Sweden

Post by mlitton »

Hi,

I do all my work on a mac and have never come across this problem. This is due to no cookies. Instead I keep track of the session with a GET variable and this has never caused any problems. With session_destory() people never stay logged in on macs / pcs or other unixbased systems for that matter.

There are a couple of people out there that doesn't have cookies enabled and not using cookies to manage your sessions will also enable them to use your site.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

mlitton wrote:Instead I keep track of the session with a GET variable and this has never caused any problems.
Imagine the situation: you're running forum like this one, and someone posts a message with the link to, say, http://www.evilhacker.com/steal_sess_id.php.
steal_sess_id.php:

Code: Select all

if(isset($_SERVER['HTTP_REFERER'])){
    preg_match("/PHPSESSID=([^&]*)/",$_SERVER['HTTP_REFERER'], $subpatters);
    if(!empty($subpatterns[1]))
       echo "Hey man! I've got your session id ({$subpatterns[1]}) and now I can use that forum {$_SERVER['HTTP_REFERER']} as if I was you! HA-HA-HA!\n";
 }
mlitton wrote: There are a couple of people out there that doesn't have cookies enabled and not using cookies to manage your sessions will also enable them to use your site.
PHP internal session handling use `url session id passing` as fallback if cookies are not enabled.
Post Reply