[Resolved] damn sessions

mailtome

Hi
Wen I close the browser without logging out of my site and then again open the browser & redirect it to my site the user is already logged in.??
Is it not so that the sessions are destroyed when one closes the browser without logging out?? Or I have to handle this?

move3rd

Sessions are automaticaly destroyed when the browser is closed.

Is this a user system you have desgined youself? If the system uses sessions and cookies together the user will stay logged in.

You'll need to give us more to go on if you want help. Maybe posting your login script would be a good start.

mailtome

If the user has successfully logged in I do the following:
session_start();
if (some condition..)
{
$SESSION["guest"]=$username;
include 'frames.php';
exit();
}
else
{
$SESSION["username"]=$username;
include 'frames.php';
exit();
}

LordShryku

Sessions are not destroyed when the browser is closed. The session is stored as a text file on the server and the server has no idea if the user has closed their browser. Look here.

Weedpacket

Much as I'd hate to contradict LordShryku's statement or come off as a smart-aleck, but sessions are destroyed when the client closes its end. A session is meaningful only in the context of state maintained between server and client - if either end drops its handle on the session, the session ends.

Due to the nature of the http protocol, if either client or server drops its end of the session the other won't notice and will be left holding a lump of useless data. Usually it's the client that drops first. Then the server is left holding a session ID and corresponding session data (this is what LordShryku's referring to as "the session") sitting around with no-one to share it. But for all the server knows, the client is still out there, holding up its end, and might come back with its session ID to continue the session. (Eventually, of course, the server has to drop its end too, or it will bog down with ancient session data clogging its pores - but it has to wait at least a little while.)

Maybe I'm being pedantic, but I do think that it's best if confusion is avoided.

If the browser is closed then it should be losing the session ID. If it's not then either the session ID is hanging around somewhere to be picked up again when the browser is restarted (in a URL?) or the browser's not being closed after all.

move3rd

--- edit ---
I didnt see weedpackets post before I posted this.
-- edit --

LordShryku- I shoudlnt make asumtions like that.. thanks for correcting me.

--- edit ---
I was rong but you know what I meant!
-- edit --

mailtome, the code you posted doesnt tell us anthing about how your user system works or give any idea of what the problem could be.

LordShryku

Originally posted by Weedpacket
Much as I'd hate to contradict LordShryku's...

Lie! You know you love it :p

lukatchikm

When a browser is closed, the session is essentially 'closed'. As Weedpacket said, the client mostly always drops the connection first.

This does not mean, though, that your temp. session text file holding the variables is destroyed...It's waiting out there on the server, in case that user re-starts their browser and comes back...

To clear the data that has accumulated from truncated sessions, consider the following and follow LordShryku's helpful link...

I myself am still looking into the garbage collection[\B] process, and writing a shell script that will clear out the old session data that has been collected on the server...

Hopefully this will give you a better understanding of what direction you need to go in.

If a session is properly destroyed, the temp. text file will also be destroyed. Otherwise, if the user abruptly closes their browser, session 'garbage' is retained on the server...

Mike

Weedpacket

Originally posted by lukatchikm
This does not mean, though, that your temp. session text file holding the variables is destroyed...It's waiting out there on the server, in case that user re-starts their browser and comes back...

But when they do the restarted browser will no longer have the session ID it had from the previous session, and a new one would have to be created - in other words - that's a new session.

PHP already has a garbage collection process in place; it doesn't clean out garbage immediately because that would do unpleasant things to performance. Details of what it does when are in the manual and in php.ini.

yelvington

Unless the SID is embedded in the URL to which the browser is returning.