Some Session Issues/Questions
Moderator: General Moderators
Some Session Issues/Questions
Hey there, sorry to harass you all again, but I've been reading up on this and I cant quite find the answer anywhere.. so here goes.
(All using Sessions)
1) Whats the best way to use a session.. I've seen many examples of them but Im wondering what is the most secure form (so if a user logs out and a session is killed) they cant click back and continue on.
2) If a user is logged in then all of a sudden loads another site, what happens to my session? Is it killed? If not, how can I make the session GET killed when a user leaves the site via opening a new url in the same browser.
Thanks in advance, and sorry for picking your brains so much in late days, I've been trying to get this myself, but Im at a loss for both of these questions I am asking. I'd like to thank vodka and the many others for the help in the past too. Its not gone un noticed.
(All using Sessions)
1) Whats the best way to use a session.. I've seen many examples of them but Im wondering what is the most secure form (so if a user logs out and a session is killed) they cant click back and continue on.
2) If a user is logged in then all of a sudden loads another site, what happens to my session? Is it killed? If not, how can I make the session GET killed when a user leaves the site via opening a new url in the same browser.
Thanks in advance, and sorry for picking your brains so much in late days, I've been trying to get this myself, but Im at a loss for both of these questions I am asking. I'd like to thank vodka and the many others for the help in the past too. Its not gone un noticed.
I wouldn't use cookies explictly, just use regular sessions the php will use cookie/GET as appropriate. Without setting anything extra the session dies when the user closes the browser or you call session_destroy().
If you want to destroy the session when the user leaves your site you have a few options:
wrap all outside links with some thing like: yoursite/leavesite.php?goaway=$targetURL;
your leavesite.php page can call session_destroy before using header("Location: $_GET["goaway"]);
or some kind of client side coding to do the same
If you want to destroy the session when the user leaves your site you have a few options:
wrap all outside links with some thing like: yoursite/leavesite.php?goaway=$targetURL;
your leavesite.php page can call session_destroy before using header("Location: $_GET["goaway"]);
or some kind of client side coding to do the same
Thanks for the help there, however, what I meant by when the user LEAVES the site, lets say they are sitting there at my main menu or whatnot.
They then click on their favorites (bookmarks) and select one of their bookmarks which gets loaded up. What happens to the session? Is it killed or not? If not, how can I make it die upon a user doing such a thing.
They then click on their favorites (bookmarks) and select one of their bookmarks which gets loaded up. What happens to the session? Is it killed or not? If not, how can I make it die upon a user doing such a thing.
I don't think there is any easy way to force the sessions to die in those cases. The best I can come up with off the top of my head:
For every active session, store the last time a page was viewed.
Run a cron job every n minutes that deletes any sessions where the last viewed time is too old.
So if a user's page views are idle the session is terminated. You'll probably make some users upset who just left the computer to use the restroom or watch tv and then come back, but....
For every active session, store the last time a page was viewed.
Run a cron job every n minutes that deletes any sessions where the last viewed time is too old.
So if a user's page views are idle the session is terminated. You'll probably make some users upset who just left the computer to use the restroom or watch tv and then come back, but....
-
DynamiteHost
- Forum Commoner
- Posts: 69
- Joined: Sat Aug 10, 2002 5:33 pm
I'm pretty sure theres a way to set it to expire as soon as they leave the site, wether it be by clicking a link, going to a favourite site or exiting the browser.
I think you'll probably just have to look around a bit more
I did learn this at one time (i'm pretty sure of it), but it doesnt seem to in my head anymore
Sorry.
I think you'll probably just have to look around a bit more
I did learn this at one time (i'm pretty sure of it), but it doesnt seem to in my head anymore
Sorry.
What about setting session timeouts (so they auto expire).. I dont know how this would get handled page to page though, like they login they have a 5 minute session, if they go to another page within this system, do they get a fresh 5 minutes for the session or is it continually counting down? I could do this to ensure that the session would be killed if they left via a bookmark i guess.
I just dont know how to set a timeout on a session <- As you can guess I've never had the need to use them before.
I just dont know how to set a timeout on a session <- As you can guess I've never had the need to use them before.
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
Secure:
They hit back...the session is gone.
If the load another page and then come back without logging out, they remain logged in. BUT, if they CLOSE that browser session/tab and re-open it...they are no longer logged in.
later on, -Brian
P.S. why would u want the session to die if they go to a different page?
Code: Select all
session_start()
session_register("variable")
...
session_unregister("variable")If the load another page and then come back without logging out, they remain logged in. BUT, if they CLOSE that browser session/tab and re-open it...they are no longer logged in.
later on, -Brian
P.S. why would u want the session to die if they go to a different page?
Its a sad but true fact some of these people access this from public internet cafes. So that would be why, in the case they dont close the browser window and just leave, then whoever uses that system next could click back and go wild.gotDNS wrote:Secure:
They hit back...the session is gone.Code: Select all
session_start() session_register("variable") ... session_unregister("variable")
If the load another page and then come back without logging out, they remain logged in. BUT, if they CLOSE that browser session/tab and re-open it...they are no longer logged in.
later on, -Brian
P.S. why would u want the session to die if they go to a different page?