Making sessions more secure?

Forum Moderators: coopster

Message Too Old, No Replies

Making sessions more secure?

chaddsisco

12:42 pm on Sep 22, 2005 (gmt 0)

Right now on my web page Im using sessions instead of cookies, what Im wondering is can I make the session more secure? Here is the issue... if i log into my page the session starts and everything is fine, but if within that same window I go to www.cnn.com and then try to come back to my web page it allows me to see all of the web pages again without starting a new session. Is there a way to force the session to end as soon as you leave the page? Please let me know if that makes sense.

jatar_k

3:30 pm on Sep 22, 2005 (gmt 0)

there isn't a way to destroy them when someone leaves your site. Given that php is a server side language information must be sent to the server for it to be able to do something.

You can be more strict about how long a session lives for though.

I store a timestamp in the session. I want my sessions to last 5 minutes (for code thats 300 secs) so I compare the last access time every time someone hits a page. If the present timestamp is less than 300 seconds bigger than the one in the session then I change the session timestamp to the current one. If it has been more than 300 seconds since their last access then I destroy the session and send them to the login page.

mcibor

9:00 pm on Sep 22, 2005 (gmt 0)

Or you can use the onUnload javascript command to open the popup window with session destroy. However it's not a very popular method, because people (me for example) always close such windows before they execute.

So session time is really the best solution!

Michal Cibor