Session Destruction on Site Exit.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
conscience
Forum Commoner
Posts: 33
Joined: Mon Dec 27, 2004 12:34 pm

Session Destruction on Site Exit.

Post by conscience »

Outside of a cookie timeout of some sort, is there no way to detect when a user leaves the site or clicks an external hyperlink in order to implement session destruction features? Every bit of research I've done says "No", but I figured I'd posit the question to (whom I consider to be) the Masters for final verification. Thanks for any information you can provide.
The Monkey
Forum Contributor
Posts: 168
Joined: Tue Mar 09, 2004 9:05 am
Location: Arkansas, USA

Post by The Monkey »

Javascript can technically be used, but not relied on. A java applet could also be used, but is certainly not recommended.

I would try rethinking your session management and see why it is necessary to know the exact instance* a user has left...

*edit: Yah, I know it's instant. Too much programming for me... instance was the first thing that come to mind...
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

that would have to be done through javascript's onunload function (in which you would call a javascript that would in turn call a php script for session_destroy).

the only alternative is that you set your config file for a session to last x minutes, meaning the session is destroyed after that.


Edit: The above poster is semi-right, though semi-wrong too.

Javascript is technically needed, however it is also relied upon to carry out what you are wanting to do...

As I said, the only alternative is to set when a time is exceeded for a session variable's existance, it should then be destroyed after x amount of time (that's the only other method of doing so without using javascript)
conscience
Forum Commoner
Posts: 33
Joined: Mon Dec 27, 2004 12:34 pm

Post by conscience »

infolock wrote: As I said, the only alternative is to set when a time is exceeded for a session variable's existance, it should then be destroyed after x amount of time (that's the only other method of doing so without using javascript)
Would a wiser alternative be to block easy exit (such as hiding external links) from the site without first terminating the session?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Nope. They can always press BACK or they can enter their own URL. The session stays.
Post Reply