My site is often used on "public" computers in an office, and for the most part it is quite secure, except it seems when dealing with the new "session restore" features in Firefox and other browsers. Here is the situation:
User A logs in.
User A then closes the browser, or turns off the computer without closing a browser.
User B then comes along at a future time and the browser automatically restores the last session in use.
User B is now logged into User A's account.
The best solution I can come up with is having a $_SESSION variable that records the time of the last webpage accessed and if this time is greater than say 3 hours, the session is destroyed. This isn't a great solution however as it could easily fail to resolve the problem, and cause problems to legitimate users.
Is there a way to obtain the start up time of the browser or some way to detect if a session restore has occurred?
Thanks!
Preventing session restores
Moderator: General Moderators
Re: Preventing session restores
Destroy the session server side.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Preventing session restores
I'm not sure, but I think Firefox saves the web page into a file on the computer so that no requests are done to your server. I think this is a client-side issue rather than a server-side issue. When I save the session and reopen my browser, it does not seem to make any requests. It just fetches the page from a cache.
Re: Preventing session restores
Couldn't you just reduce the session max life time either in php.ini, a htaccess file or ini_set() or something?
Re: Preventing session restores
Well, you can't really control the browser cache that kaisellgren is talking about. You can suggest to the browser via http headers that the browser's cache is expired.
This usually get's the browsers attention and it requests a new GET from the server. There's a pretty good tutorial on cache control here.
http://www.mnot.net/cache_docs/
However if the browser is running on a strictly local cache, I don't think it would work.
Code: Select all
Cache-Control: max-age=3600, must-revalidate
Expires: Fri, 30 Oct 1998 10:00:00 GMThttp://www.mnot.net/cache_docs/
However if the browser is running on a strictly local cache, I don't think it would work.