Pls don't laugh ... I didn't find the behaviour of my site anywhere else.
I track user sessions with simple session-cookies. After 20 minutes a seesion times out if there's no user interaction.
My problem is: if I close the browser window and open a new one, then go to the url that needs a login - the user is still logged in. (if that happens within the 20 minutes before the session times out)
What would you do do find out if it is another browser requesting the connection so I can tell the user he needs to login again / is there some kind of header / whatever that restricts a session cookie to a single browser instance?
Yes, of course I ask users to logout before they close the browser, but they don't. And if somebody on a public PC by chance reaches the same site, he is logged in as the previous user :-(
Can you pass a session ID as a hidden form field, in addition to the session management the server is doing? If the server gets a request without that parameter, you could invalidate the session then. A request in a new window wouldn't have that value set, and you could redirect users to the login page.
no . even if I close all browser windows - then open a new one the session is still valid - i.e. the user is still logged in. (because the session id in the cookie matches the session id on the server)
Using Form fields is not an option, because the user can hop between several pages without using any forms.
If you don't define an expiry time for your cookie, it becomes a session cookie that is thrown away when the browser closes (as opposed to persistent cookie that has an expiry time and is stored until then).
Note: Some frameworks have a thing called "session cookie" that is different from the session cookie I'm referring to. Don't confuse these two.