Ending Sessions

TouchTheClouds

Does the session end automatically when user closes his web browser? If no, is there any way to write a function for this?

p.s.

I had a webpage, where sessions always ended with closing the browser. Now I have another page with the same php sessions code, and sessions never end when i close the browser. Even I restart my pc, sessions variables remains registered. 😕 I dont use cookies.

MrAlaska

$_SESSION's, by default, maintain state by setting a temporary cookie which is destroyed when all instances of the browser is closed, or inserting the unique ID in the URL. I believe there is a php.ini setting that will allow you to store a persistent cookie that will allow them to maintain state for future visists.

If you are able to reboot your machine and still are logged in when you return to the page, there are not many possibilities other than a persistent cookie. Cookies and the GET method are the only ones available to PHP $_SESSION's. Some sites use the IP address to maintain state, but you would need to code that yourself in PHP.

The only other way PHP could recognize you was if you were returning there on a URL that included the session ID and it was within the session timeout setting. If you are using a bookmark that includes the session ID or typing in the URL and using 'autofinish' that includes the session ID, then I would check your php.ini settings and make sure they are not set for too long a period.

TouchTheClouds

hm i store web pages on lycos and i have no access to their php.ini
however, my other website there works properly. Maybe here is some problems with php code itself?

access.php:

<?php
include("inc/funkcijos.php"); //functions file
session_start();

if ((!isset($login)) or (!isset($pass))) {
$pranesimas = "Áveskite login ir password"; //msg: type your login and pass
include("inc/forma.php"); //login form file
exit;
} 

session_register("login");
session_register("pass");

if (!tikrinti($login, $pass)) {  //function to check if given login and pass are in data base
$pranesimas = "Neteisingas login arba password, pabandykite dar kartà"; //msg "wrong login or pass, try once more"
session_unregister("login");
session_unregister("pass");
include("inc/forma.php");
exit;
} 

$prisijungta = "Prisijungta kaip $login.&nbsp; <a class=norm href=logout.php>Atsijungti</a>";  //msg: loged in as nick and link to logout php file
session_register("prisijungta");
?>

and index.php:

<?php
include("inc/access.php");
?>
<html>
<head>
<!-- and so on -->

TouchTheClouds

ok maybe there was some kind of server error, because now all work properly. 🙂
thanks for anwser

MrAlaska

On another note: Using session_register() allows users to register their own variables, which is why PHP quit enabling globals by default. You should initialize and retrieve the session variables through $_SESSION[] or through $HTTP_SESSION_VARS[] and do not use session_registered at all.

Also, storing passwords in the session variables is redundant. If you trust the session, which you must because you are entrusting it with passwords, just use the session variables for validation. (i.e. $SESSION['user_id']=$user_id and $SESSION['authenticated']='YES') or whatever values you want to use.

EDIT: Speaking of redundancy, if ALL your pages that require a user ID are password protected, then $SESSION['authenticated'] would not be needed because the existance of $SESSION['user_id'] would imply validation. You would only need both variables if you are using a stored cookie for the purpose of displaying a welcome message or user defined settings upon their return.

martyn

Why complicat things???

To start session:

session_start();
session_register (blah);
etc.

To get the seesion data;

start_session();
echo "$blah";

To end session:

session_unset();
session_destroy();

it works for me, or am i doing it wrong???

MrAlaska

Originally posted by martyn
Why complicat things???

Here is why:
http://www.php.net/manual/en/security.registerglobals.php

martyn

ok valid point, but the system i made for my site checks for the password every page you goto, which makes it more secure...