Page 1 of 1
Sessions on a MAC
Posted: Mon Nov 17, 2003 11:38 am
by JayBird
Hi have nearly completed building an intranet site and everything was working okay until i tested on a Mac!
I have a login system, the script that has been used can be found here
http://www.phpsecurepages.com/
On the PC, when the user closes the broswer window and goes back to the site, they are asked to login again, but on a Mac, the user is still logged in.
Why would this happen? I don't know which part of the code in the script i mentioned to post for you to check out.
So some ideas of what the problem is might help me determine where the problem is arising from.
Cheerz
Mark
Posted: Mon Nov 17, 2003 1:49 pm
by Weirdan
Seems like your mac browser doesn't recognize cookie as 'session cookie' and does not delete it when window is closed... just my 2 cents... MACs are like an aliens to me....
Posted: Mon Nov 17, 2003 3:22 pm
by JayBird
yeah, when i view the cookies on the mac, the cookie is still there. ANyway around this without a "Logout" button?
Mark
Posted: Mon Nov 17, 2003 4:41 pm
by Weirdan
Do you use IE/Mac? If so, there are should be an option to enable cookie confirmation... then you can see if cookie is set right, i.e. if it is session cookie or not...
I suppose it's IE/Mac bug. Just found this links:
http://www.faqts.com/knowledge_base/vie ... 1457/fid/4
http://66.102.11.104/search?q=cache:VIK ... n&ie=UTF-8
check this also:
Enabling per-session cookies:
Internet Explorer (v5.0 and up):
From your browser's tool bar, click on "Tools" and select Internet Options.
Select the Security tab and click on the button "Custom Level".
Scroll down until you see "cookies" and click on "next" to "enable per-session cookies".
Click on "OK".
Click on "Apply".
Now close and reopen your browser for the new setting to be saved.
....you are not alone

I googled it alot, but not found the answer yet.
I see two ways:
1. set
session.cookie_lifetime in php.ini to some meaningful non-zero value (It will make sess_id cookies permanent, so they will expire properly).
2. write js window.onclose event handler which will clear the sess_id.
Posted: Tue Nov 18, 2003 3:35 am
by JayBird
Thanks for the info mate.
Yes, it is IE on the MAC.
The session.cookie_lifetime is already set to 0 in the php.ini.
I can't expect people to change there IE settings.
window.onClose isn't in the Javascript specification and is only implemented by Some versions of Netscape.
So...
Solution i have come up with uses onUnload.
The problem with onUnload is that the functions is executed when the user navigates from page to WITHIN the site...which is obviously no good.
To get around this...
Load the site using frames, one which is like 1 pixel in height and the other fills the rest of the screen. In the 1 pixel frame, load a html/php file that has onUnload in the body tag. When the user closes the broser window, the a pop-up window appears executing a "hard" log-out.
When the user is navigating the site as normal, the html/php file in the 1 pixel frame never changes, therefor not calling the onUnload event.
Cant think of a better solution!?!
Mark
Posted: Tue Nov 18, 2003 3:54 am
by mlitton
Hi,
I do all my work on a mac and have never come across this problem. This is due to no cookies. Instead I keep track of the session with a GET variable and this has never caused any problems. With session_destory() people never stay logged in on macs / pcs or other unixbased systems for that matter.
There are a couple of people out there that doesn't have cookies enabled and not using cookies to manage your sessions will also enable them to use your site.
Posted: Tue Nov 18, 2003 6:45 am
by Weirdan
mlitton wrote:Instead I keep track of the session with a GET variable and this has never caused any problems.
Imagine the situation: you're running forum like this one, and someone posts a message with the link to, say,
http://www.evilhacker.com/steal_sess_id.php.
steal_sess_id.php:
Code: Select all
if(isset($_SERVER['HTTP_REFERER'])){
preg_match("/PHPSESSID=([^&]*)/",$_SERVER['HTTP_REFERER'], $subpatters);
if(!empty($subpatterns[1]))
echo "Hey man! I've got your session id ({$subpatterns[1]}) and now I can use that forum {$_SERVER['HTTP_REFERER']} as if I was you! HA-HA-HA!\n";
}
mlitton wrote:
There are a couple of people out there that doesn't have cookies enabled and not using cookies to manage your sessions will also enable them to use your site.
PHP internal session handling use `url session id passing` as fallback if cookies are not enabled.