Sessions stays even when webpage exit!

kobbe

I use this when someone is logged in ok on my site:

session_start ();
$auth_ok = "my_page_logedin";
$_SESSION[$auth_ok] = TRUE;

Then I check
if ($_SESSION[$auth_ok] == TRUE) {
//still logged in!
}

And I use my script on several pages and just found this error: When exiting browser after login (without logout) and then start browser again and go to the same page. Then is $_SESSION[$auth_ok] still set to TRUE so I'm stilled logedin!

Is this a server thing? What can I do so it checks that the browser not have been restarted?

Hope you understand what my problem is, my english suck bad 🙁

Peace & Love

Phantazm

Interesting problem... in theory, the entire purpose of a Session Variable IS to clear (or more accurately, not be set) if the browser has been restarted.. (well.. basicly)

I ran you code on my server just to test (I didn't see anything wrong with the code..) and got correct results (i.e. Session Variable "my_page_logedin" was NOT set to true after a browser restart.

What browser are you using to test?

rharter

check your php session configuration, look for cookie_lifetime

if it's 0 the session lasts till the browser is closed

kobbe

Ok.

I don't have a server myself, I use an ISP!

How can I check their config? Or can I change it myself somehow?

Thx!

rharter

here's a script:

<?php
phpinfo();
?>

this will dump out the php configuration and you can check in the sessions sections. You have two choices, ask you ISP to change or use ini_set() .. . check the manual.

good luck,
r

Weedpacket

But see Phantazm's post - if the session is surviving the browser being shut down, then either the browser is broken or it's not really being shut down...

rharter

yes, he closes his browser, re-starts his browser, and the session is still present. according to the manual, you can set cookie_lifetime to zero, which means the session terminates when the browser closes. if it isn't set to zero, it's in minutes I think. If that's the case, you shut down your browser, open it back up and reconnect to the site, the cookie is still present, and the session still exists (assuming that occurs within the alloted time). At leasts that's how I read it. So if he runs phpinfo he can determine the setting, if it's not 0, i would say that's the reason he's seeing the behavior he's seeing.

ron

Weedpacket

Ah, I was thinking of gc_maxlifetime - but why would you want session variables to outlive the session
😕

rharter

yes, for a public site, tearing down the session when the browser closes makes most sense to me. I could see in an intranet site you might want to leave the session up across browser sessions in some scenario I suppose ....

ron

kobbe

Directive Local Value Master Value
session.auto_start Off Off
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_trans_sid 1 1

Well cookie_lifetime was set to 0, see anything else strange?

Another strange thing, I just got to work and tested to do the same thing! Here it works as it should, if I restart browser I'm not logged in.

The error happends on my comp. with Win XP SP1.
Can there be something stupied with IE in my comp?

Thx for all answers!

Phantazm

Originally posted by Weedpacket
Ah, I was thinking of gc_maxlifetime - but why would you want session variables to outlive the session
😕

100% agree here! If I want a variable to last from session-to-session I usually set a cookie! 🙂 (as in a NON-SESSION cookie of course)