I'm working on a program which security is really an important part. The flow is this: The user can login by doing the LOGIN/PASSWORD scheme .. the program verify the login data IF not valid it displays an error, if the user is valid, it inserts a session in a database table and also, a copy of the session ID in the cookie.. and the login script redirects the user to the account page. Inside the account page, all scripts that are involved make sure to verify the session ID from the Cookie variable and compares it and checks if that session id really exists on the session table. I have a 30 minutes timeout per session. The PROBLEM is that, when the user accidentally or intentionally or some case due to browser error, closed the Browser window.... the cookie is still in the cookies file of the Browser and it is still valid. And when I open again the browser, and point the location to lets say http://domai.com/members/index.php (thereby by-passing the login page) the script will still read a valid cookie since its timeout is 30 minutes. Thus, the user who opens the browser window will be able to access the account of another user (in such case). How do I solve this problem??? I noticed how yahoo implements a good login/logout system. WHen you login to the mail interface and try to open another window and type in mail.yahoo.com it redirects you to the mailbox (because you have an existing session). But when you try to close the window, and open it again pointing to mail.yahoo.com, it will present a login form. How do they detect the window activity?
Jun
