Welcome to WebmasterWorld Guest from 54.211.182.82

Forum Moderators: incrediBILL

Message Too Old, No Replies

How do I make sure a session is ended when the browser is closed?

     
11:26 am on Aug 26, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 29, 2003
posts:790
votes: 0


Pls don't laugh ... I didn't find the behaviour of my site anywhere else.

I track user sessions with simple session-cookies. After 20 minutes a seesion times out if there's no user interaction.

My problem is: if I close the browser window and open a new one, then go to the url that needs a login - the user is still logged in. (if that happens within the 20 minutes before the session times out)

What would you do do find out if it is another browser requesting the connection so I can tell the user he needs to login again / is there some kind of header / whatever that restricts a session cookie to a single browser instance?

Yes, of course I ask users to logout before they close the browser, but they don't. And if somebody on a public PC by chance reaches the same site, he is logged in as the previous user :-(

Thanks for any idea,

Nerd.

5:43 pm on Aug 26, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Sept 4, 2002
posts:508
votes: 0


Can you pass a session ID as a hidden form field, in addition to the session management the server is doing? If the server gets a request without that parameter, you could invalidate the session then. A request in a new window wouldn't have that value set, and you could redirect users to the login page.
5:58 pm on Aug 26, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 20, 2005
posts:86
votes: 0


Its because you have more than one browser window open. To kill off the session - all the browser windows need to be closed.
7:58 pm on Aug 26, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 29, 2003
posts:790
votes: 0


Prolific,

no . even if I close all browser windows - then open a new one the session is still valid - i.e. the user is still logged in. (because the session id in the cookie matches the session id on the server)

Using Form fields is not an option, because the user can hop between several pages without using any forms.

Nerd

10:36 am on Aug 27, 2005 (gmt 0)

New User

10+ Year Member

joined:Aug 26, 2005
posts:3
votes: 0


If you don't define an expiry time for your cookie, it becomes a session cookie that is thrown away when the browser closes (as opposed to persistent cookie that has an expiry time and is stored until then).

Note: Some frameworks have a thing called "session cookie" that is different from the session cookie I'm referring to. Don't confuse these two.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members