Welcome to WebmasterWorld Guest from

Forum Moderators: incrediBILL

Message Too Old, No Replies

How do I make sure a session is ended when the browser is closed?



11:26 am on Aug 26, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Pls don't laugh ... I didn't find the behaviour of my site anywhere else.

I track user sessions with simple session-cookies. After 20 minutes a seesion times out if there's no user interaction.

My problem is: if I close the browser window and open a new one, then go to the url that needs a login - the user is still logged in. (if that happens within the 20 minutes before the session times out)

What would you do do find out if it is another browser requesting the connection so I can tell the user he needs to login again / is there some kind of header / whatever that restricts a session cookie to a single browser instance?

Yes, of course I ask users to logout before they close the browser, but they don't. And if somebody on a public PC by chance reaches the same site, he is logged in as the previous user :-(

Thanks for any idea,



5:43 pm on Aug 26, 2005 (gmt 0)

10+ Year Member

Can you pass a session ID as a hidden form field, in addition to the session management the server is doing? If the server gets a request without that parameter, you could invalidate the session then. A request in a new window wouldn't have that value set, and you could redirect users to the login page.


5:58 pm on Aug 26, 2005 (gmt 0)

10+ Year Member

Its because you have more than one browser window open. To kill off the session - all the browser windows need to be closed.


7:58 pm on Aug 26, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member


no . even if I close all browser windows - then open a new one the session is still valid - i.e. the user is still logged in. (because the session id in the cookie matches the session id on the server)

Using Form fields is not an option, because the user can hop between several pages without using any forms.


Aapo Laitinen

10:36 am on Aug 27, 2005 (gmt 0)

10+ Year Member

If you don't define an expiry time for your cookie, it becomes a session cookie that is thrown away when the browser closes (as opposed to persistent cookie that has an expiry time and is stored until then).

Note: Some frameworks have a thing called "session cookie" that is different from the session cookie I'm referring to. Don't confuse these two.


Featured Threads

Hot Threads This Week

Hot Threads This Month