Page 1 of 1
Some Session Issues/Questions
Posted: Thu Aug 15, 2002 8:54 am
by jidospod
Hey there, sorry to harass you all again, but I've been reading up on this and I cant quite find the answer anywhere.. so here goes.
(All using Sessions)
1) Whats the best way to use a session.. I've seen many examples of them but Im wondering what is the most secure form (so if a user logs out and a session is killed) they cant click back and continue on.
2) If a user is logged in then all of a sudden loads another site, what happens to my session? Is it killed? If not, how can I make the session GET killed when a user leaves the site via opening a new url in the same browser.
Thanks in advance, and sorry for picking your brains so much in late days, I've been trying to get this myself, but Im at a loss for both of these questions I am asking. I'd like to thank vodka and the many others for the help in the past too. Its not gone un noticed.
Posted: Thu Aug 15, 2002 8:57 am
by jidospod
Also off my original post, but I am NOT letting users stay logged in forever, so they DO have to login each time. Should I still use cookies or not? I cant see any real reason to need the cookies.
Posted: Fri Aug 16, 2002 9:34 am
by jidospod
A quick answer please?

Posted: Fri Aug 16, 2002 9:50 am
by nielsene
I wouldn't use cookies explictly, just use regular sessions the php will use cookie/GET as appropriate. Without setting anything extra the session dies when the user closes the browser or you call session_destroy().
If you want to destroy the session when the user leaves your site you have a few options:
wrap all outside links with some thing like: yoursite/leavesite.php?goaway=$targetURL;
your leavesite.php page can call session_destroy before using header("Location: $_GET["goaway"]);
or some kind of client side coding to do the same
Posted: Fri Aug 16, 2002 10:10 am
by jidospod
Thanks for the help there, however, what I meant by when the user LEAVES the site, lets say they are sitting there at my main menu or whatnot.
They then click on their favorites (bookmarks) and select one of their bookmarks which gets loaded up. What happens to the session? Is it killed or not? If not, how can I make it die upon a user doing such a thing.
Posted: Fri Aug 16, 2002 10:19 am
by nielsene
I don't think there is any easy way to force the sessions to die in those cases. The best I can come up with off the top of my head:
For every active session, store the last time a page was viewed.
Run a cron job every n minutes that deletes any sessions where the last viewed time is too old.
So if a user's page views are idle the session is terminated. You'll probably make some users upset who just left the computer to use the restroom or watch tv and then come back, but....
Posted: Fri Aug 16, 2002 1:20 pm
by DynamiteHost
I'm pretty sure theres a way to set it to expire as soon as they leave the site, wether it be by clicking a link, going to a favourite site or exiting the browser.
I think you'll probably just have to look around a bit more
I did learn this at one time (i'm pretty sure of it), but it doesnt seem to in my head anymore
Sorry.
Posted: Fri Aug 16, 2002 8:14 pm
by jidospod
Thanks, Im sure I'll figure out how to auto expire the session if they just leave the site via a bookmark.. *continues banging head on desk*
Posted: Fri Aug 16, 2002 8:18 pm
by jidospod
What about setting session timeouts (so they auto expire).. I dont know how this would get handled page to page though, like they login they have a 5 minute session, if they go to another page within this system, do they get a fresh 5 minutes for the session or is it continually counting down? I could do this to ensure that the session would be killed if they left via a bookmark i guess.
I just dont know how to set a timeout on a session <- As you can guess I've never had the need to use them before.
Posted: Sat Aug 17, 2002 11:11 am
by twigletmac
jidospod wrote:A quick answer please?

Everyone answering questions is a volunteer. Pay us and we'll be faster next time...
Mac
Posted: Sat Aug 17, 2002 11:15 am
by gotDNS
Secure:
Code: Select all
session_start()
session_register("variable")
...
session_unregister("variable")
They hit back...the session is gone.
If the load another page and then come back without logging out, they remain logged in. BUT, if they CLOSE that browser session/tab and re-open it...they are no longer logged in.
later on, -Brian
P.S. why would u want the session to die if they go to a different page?
Posted: Sun Aug 18, 2002 7:54 pm
by jidospod
gotDNS wrote:Secure:
Code: Select all
session_start()
session_register("variable")
...
session_unregister("variable")
They hit back...the session is gone.
If the load another page and then come back without logging out, they remain logged in. BUT, if they CLOSE that browser session/tab and re-open it...they are no longer logged in.
later on, -Brian
P.S. why would u want the session to die if they go to a different page?
Its a sad but true fact some of these people access this from public internet cafes. So that would be why, in the case they dont close the browser window and just leave, then whoever uses that system next could click back and go wild.