session id unset necessary

digitalecartoon

Can someone help me with my mailform? It uses a Flash mailform, together with php and session id.

First things first: in the index.php page it starts by setting the session:

<?php
session_start();
$_SESSION["domino"] = true;
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
//rest of page showing flash movie

When inputed the flash form and clicking send the php script processes the data by first checking for the existence of this session id. If it's not ok, an error message returns.

If everything is ok and a session id is present, the session id itself is unset. I've been told that you should immediatelly unset a session id after using it for security reasons.

<?php 
session_start(); 
if(!isset($_SESSION["domino"])){ 
//error message 'forbidden access' 
exit; 
} else { 
session_destroy(); 
unset ($_SESSION["domino"]); 
//rest of script: processing the form input 
}

But now, when I input the flash form once more and click send, of course nothing happens because the session id is cleared. And I can't set the session id in Flash itself I think.

Is there any way to fix this?

digitalecartoon

From a site about session id's:
http://www.php-learn-it.com/php_sessions.html

"Remember sessions are destroyed automatically after user leaves your website or closes the browser, but if you wish to clear a session variable yourself, you can simple use the unset() function to clean the session variable"

This would mean I could easily delete those two unset/destroy lines?

Because after leaving my site or closing the browser or visiting another site through a link on my site it is destroyed anyway? So it doesn't make my php script less secure after all? Am I correct?

So what should happen is:
1. entering site: setting session
2. leaving site: automatically unsetting session
3. closing site: automatically unsetting session
4. having a link inside your site, clicking it to go to new site: automatically unsetting session

And this is what happening now without those unset/destroy lines? So it safe to delete them? Doesn't make my php script less secure?

Basically what I want is that my php script can only be accessed if the user is on my site. Not directly or through another site.

NogDog

There is really no reliable way to know from the server's perspective when a user has left your site for another.

The session data on the server is automatically destroyed after a certain amount of time since its last access, based on a number of PHP configuration items. This data removal is completely independent of whether the user closes their browser or moves to another site.

The session cookie expires based on your server's session cookie configuration parameters. This may be when the user closes his browser (if the expiration time is set to zero), otherwise is a specific amount of time, regardless of whether or not the user has closed the browser. In either case, simply leaving your site for another one will not affect the cookie's expiration.