Welcome to WebmasterWorld Guest from 18.104.22.168
Forum Moderators: open
I track user sessions with simple session-cookies. After 20 minutes a seesion times out if there's no user interaction.
My problem is: if I close the browser window and open a new one, then go to the url that needs a login - the user is still logged in. (if that happens within the 20 minutes before the session times out)
What would you do do find out if it is another browser requesting the connection so I can tell the user he needs to login again / is there some kind of header / whatever that restricts a session cookie to a single browser instance?
Yes, of course I ask users to logout before they close the browser, but they don't. And if somebody on a public PC by chance reaches the same site, he is logged in as the previous user :-(
Thanks for any idea,
no . even if I close all browser windows - then open a new one the session is still valid - i.e. the user is still logged in. (because the session id in the cookie matches the session id on the server)
Using Form fields is not an option, because the user can hop between several pages without using any forms.
Note: Some frameworks have a thing called "session cookie" that is different from the session cookie I'm referring to. Don't confuse these two.