homepage Welcome to WebmasterWorld Guest from 54.166.14.218
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
How do I make sure a session is ended when the browser is closed?
the_nerd

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 10895 posted 11:26 am on Aug 26, 2005 (gmt 0)

Pls don't laugh ... I didn't find the behaviour of my site anywhere else.

I track user sessions with simple session-cookies. After 20 minutes a seesion times out if there's no user interaction.

My problem is: if I close the browser window and open a new one, then go to the url that needs a login - the user is still logged in. (if that happens within the 20 minutes before the session times out)

What would you do do find out if it is another browser requesting the connection so I can tell the user he needs to login again / is there some kind of header / whatever that restricts a session cookie to a single browser instance?

Yes, of course I ask users to logout before they close the browser, but they don't. And if somebody on a public PC by chance reaches the same site, he is logged in as the previous user :-(

Thanks for any idea,

Nerd.

 

garann

10+ Year Member



 
Msg#: 10895 posted 5:43 pm on Aug 26, 2005 (gmt 0)

Can you pass a session ID as a hidden form field, in addition to the session management the server is doing? If the server gets a request without that parameter, you could invalidate the session then. A request in a new window wouldn't have that value set, and you could redirect users to the login page.

Prolific

5+ Year Member



 
Msg#: 10895 posted 5:58 pm on Aug 26, 2005 (gmt 0)

Its because you have more than one browser window open. To kill off the session - all the browser windows need to be closed.

the_nerd

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 10895 posted 7:58 pm on Aug 26, 2005 (gmt 0)

Prolific,

no . even if I close all browser windows - then open a new one the session is still valid - i.e. the user is still logged in. (because the session id in the cookie matches the session id on the server)

Using Form fields is not an option, because the user can hop between several pages without using any forms.

Nerd

Aapo Laitinen

5+ Year Member



 
Msg#: 10895 posted 10:36 am on Aug 27, 2005 (gmt 0)

If you don't define an expiry time for your cookie, it becomes a session cookie that is thrown away when the browser closes (as opposed to persistent cookie that has an expiry time and is stored until then).

Note: Some frameworks have a thing called "session cookie" that is different from the session cookie I'm referring to. Don't confuse these two.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved