PHP sessions question

Anon

I am creating a PHP site where users must login to access certain pages. I am running into a problem whereby a user can close there browser and then open it back up and paste the URL they were just at (including session ID) and get access again.

I want to know how to expire a session once the browser is closed.

I know some people will say to use cookies (and I am) but I need to use both for those that dont accept cookies.

I imagine this is a setting in the PHP.ini file but after playing with the settings, I cant figure it out.

The key here is expriing a session once the browser closes. Thank you all.

andriy

session_set_cookie_params -- Set the session cookie parameters
Description
void session_set_cookie_params ( int lifetime [, string path [, string domain]])
Set cookie parameters defined in the php.ini file. The effect of this function only lasts for the duration of the script.

Source: http://www.php.net/manual/en/function.session-set-cookie-params.php

If you set cookie lifetime equal to zero, after you close browser you will have an expired session.

[deleted]

"I want to know how to expire a session once the browser is closed."

This not possible because you cannot reliably detect when a browser is closed.
The best you can do is assume that the browser is closed after X minutes of no activity.

Andrew's suggestion of setting the cookie's time-to-live to zero does not help in this case because all you have to do is add the sessionid to the URL and PHP will re-open the session for you.

Another good question is this: how is it possible that a user only needs to send the sessionid in order to continue as loggedin?

Apparently all the logon data is stored in the session, so if someone can read your sessionid and enter it into his URL, he's logged in as you. Bad bad bad.

A simple solution to this is to add another cookie that is set when the user enters his username and password.

After loggin in only the 'real' user will have the cookie, so you can verify that it is the 'real' user by looking for the cookie. No cookie, not logged in, force a new logon.

Now mix that with Andrew's zero-time-to-live on the cookie, and the cookie will be destroyed when the browser closes.

If the user restarts the browser and enters the URL with the sessionid, he nolonger has the cookie and thus he has to do a new logon.

Anon

Vincent,

I am glad you discovered some of the concerns I did with sessions and their expiration. You made some good suggestions and I will implement some form of them.

One thing that I discovered is that the sessions do expire, just not right when the browser is closed. You mentioned that they can paste in the URL with the session ID and get "logged in" again. This is the case before the session expires. I believe the setting:

; Document expires after n minutes.
session.cache_expire=180

is what causes a session to expire after a certain period of time. So if someone pastes a URL after this 180 minutes (or whatever it is set to) then it should require a new login.

I think a simple cookie like you suggested is a good one, just set a parameter that says THIS BROWSER has logged in. Once the browser closes the cookie expires.

I am wondering how to deal with browsers that dont accept cookies...time to ponder...

Thanks Vincent

Anon

Wouldn't it just make more sense to use the authorize header to handle all pages that require a login? Although i am new to this.

Anon

I suppose I am relatively new to all this too. I am not familair with the "authorize header" per say, but the idea behind the sessions is that you can login to one page and it keeps knowledge that you have logged in over multiple pages.

What exactly is the authorize header? Is this a PHP or HTML "function"?

Anon

lookup authorization in the php manual and you\'ll find a header function that request a user name and password when you log into pages that have this header. as long as the browser is open and has successfully logged in once, it will no longer require the name and password. however after the browser is closed it will require the password to relogin to any of those pages with that header.

[deleted]

Yes that would work, but:

1) it's tricky (to say the least) to link that kind of authorization to a database.
2) you cannot force a user to logout, you can only offer to logon again and let the user fail that.
3) it sends the username and password with every request, which is hmm... well.. bad..
4) it does not allow tricks like 'remembering' a login accross browser restarts

'They' did not come up with an alternative to standard HTTP logins for nothing. 🙂

A forum, a FAQ, what else do you need?