Preventing session restores

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Martin3425
Forum Newbie
Posts: 1
Joined: Mon Jul 20, 2009 9:02 pm

Preventing session restores

Post by Martin3425 »

My site is often used on "public" computers in an office, and for the most part it is quite secure, except it seems when dealing with the new "session restore" features in Firefox and other browsers. Here is the situation:

User A logs in.

User A then closes the browser, or turns off the computer without closing a browser.

User B then comes along at a future time and the browser automatically restores the last session in use.

User B is now logged into User A's account.

The best solution I can come up with is having a $_SESSION variable that records the time of the last webpage accessed and if this time is greater than say 3 hours, the session is destroyed. This isn't a great solution however as it could easily fail to resolve the problem, and cause problems to legitimate users.

Is there a way to obtain the start up time of the browser or some way to detect if a session restore has occurred?

Thanks!
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Preventing session restores

Post by Benjamin »

Destroy the session server side.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Preventing session restores

Post by kaisellgren »

I'm not sure, but I think Firefox saves the web page into a file on the computer so that no requests are done to your server. I think this is a client-side issue rather than a server-side issue. When I save the session and reopen my browser, it does not seem to make any requests. It just fetches the page from a cache.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Preventing session restores

Post by jackpf »

Couldn't you just reduce the session max life time either in php.ini, a htaccess file or ini_set() or something?
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Preventing session restores

Post by Eric! »

Well, you can't really control the browser cache that kaisellgren is talking about. You can suggest to the browser via http headers that the browser's cache is expired.

Code: Select all

Cache-Control: max-age=3600, must-revalidate
Expires: Fri, 30 Oct 1998 10:00:00 GMT
This usually get's the browsers attention and it requests a new GET from the server. There's a pretty good tutorial on cache control here.
http://www.mnot.net/cache_docs/

However if the browser is running on a strictly local cache, I don't think it would work.
Post Reply