Preventing session restores
Posted: Mon Jul 20, 2009 9:10 pm
My site is often used on "public" computers in an office, and for the most part it is quite secure, except it seems when dealing with the new "session restore" features in Firefox and other browsers. Here is the situation:
User A logs in.
User A then closes the browser, or turns off the computer without closing a browser.
User B then comes along at a future time and the browser automatically restores the last session in use.
User B is now logged into User A's account.
The best solution I can come up with is having a $_SESSION variable that records the time of the last webpage accessed and if this time is greater than say 3 hours, the session is destroyed. This isn't a great solution however as it could easily fail to resolve the problem, and cause problems to legitimate users.
Is there a way to obtain the start up time of the browser or some way to detect if a session restore has occurred?
Thanks!
User A logs in.
User A then closes the browser, or turns off the computer without closing a browser.
User B then comes along at a future time and the browser automatically restores the last session in use.
User B is now logged into User A's account.
The best solution I can come up with is having a $_SESSION variable that records the time of the last webpage accessed and if this time is greater than say 3 hours, the session is destroyed. This isn't a great solution however as it could easily fail to resolve the problem, and cause problems to legitimate users.
Is there a way to obtain the start up time of the browser or some way to detect if a session restore has occurred?
Thanks!