Delete Cookies when browser is closed

scoppc

When a user leaves my online community without clicking on the logout link (button), he could just enter again without logging in.

Can I prevent this?

Thanks.

scoppc

"May All Beings Live In Happiness"

ziggs

Sessions my friend. Loveley sessions. Or just do an delete cookie. They do it with Javascript. Its sorta like that thing when you click |X| on windows and another browser window pops up. Same sorta concept just delete a cookie instead. I can't find the flipping source code or I would give it out. Sessions would work here also. Just keep their information and when the user leaves it will delete the session. Ok thanks for answering my other post. I appricate it. Even now.
Ziggs

Anon

Hi,

Actually I am facing the same problem. I store the session at server(I compile my php with -enable-trans-sid).

When the user close that browser window, or even close all the browser, the user still able access to the page which required login.

I do set the session timeout in php.ini. But it seem like a bit unsecure 'LOGOUT' method. Any suggestion?

[deleted]

enable-trans-id is evil. It puts the sessionid in the URL, which means clients can bookmark your page and store the sessionid in the bookmark. This is very bad.

Stop using trans-id, start using cookies. Then your session will expire properly.

A forum, a FAQ, email notification, what else do you need?

Time to YAPF!: http://www.hvt-automation.nl/yapf/

ziggs

Vincet cant you also do a delete cookie when the browser closes? Like with the damn popup porn ads. Not that I look or anything. 🙂 But can't it be done through that way? And yes the enable_trans_id is bad. Let me know what you think about it.
Ziggs

tabish

the only way by which you can delete the cookie is "through popup window" because in PHP there is no support like "onsessionend()" which is in ASP. And now I feel it's really a major drawback of PHP when you go for advanced programming, but we will have to tolerate it untill the PHP people gives a solution.

I have seen so many php sites which has tried to deal with this problem (like showing online user at a time) and they used so many techniques to do that and because of this reason wheather their sits are SO HECTIC TO NAVIGATE (because they are expiring cash on every page to keep trak of the user)or VERY SLOW.

Atlast.. I don't think that there is a GOOD solution in PHP to keep the track of users' browser.

So we will have to pull hairs untill Zend think on it carefully.

Anon

I really didnt think about this until the thread showed up, went to my provider, logged in to do maintenance on my web site, bookmarked the page that showed my active sites, and viola, I can close my browser and system down, and as long as I hit it before the session times out, I am back in.

Down with SID! LOL

Unfortunately, folks new to PHP will not know this, they will only know that if you tag SID for no cookie browsers, you defeat that problem. (Not realizing they've created Godzilla to kill Frankenstein. Sure Godzilla eats Franky, but afterwards, he is still REALLY hungry.)

Just my two Euro cents.

Jim

mikeq

If you use setcookie without a time part does it not delete the cookie when the current browser session ends?

SetCookie("TestCookie",$value);

I'm pretty sure thats the case.

Mike

scoppc

Ummm... seems like everybody is also confused by this problem. Well, it's ok for now since I don't really manage an online community that needs a very high security but later, I need that! =(

Without specifying the time? Well, sounds a bit reasonable for me. But that's the expiry time for the cookie, isn't it?
Anyway, I'll try it.

Thanks.

scoppc

"May All Beings Live In Happiness"

Anon

Unfortunately, the cookie is not the problem here. By default the cookie expires as soon as the browser AND all other instances are closed, and even if it hasn't, its absolutely no good if the session expires. (If you want to set the lifetime of this specific cookie yourself, use the session.cookie_lifetime value and set to something other than 0, see http://www.php.net/manual/en/ref.session.php.)

If a client has cookies enabled, comes to the site, gets a session cookie, closes the browser AND all instances of that browser, and comes back to the site, the user has to get a new cookie. Easy.

The culprit is the SID, that little session ID that tags itself to the end of relative URLs if the cookie cant be set. That thing leads PHP to the appropriate session file (vincent?) as I understand it. If this is on the tail of a URL that's bookmarked and someone else enters using this bookmark while that session is still active (user A gets up from a community computer, user B sits down and finds the bookmark and follows it), there is no log in required (if thats what you did to allow the session to be set). In any rate, the new user has the control of that session. If this is a secured site, i.e., credit card usage, sensitive company information, etc., this is a BIG problem. As Vincent said, turn SID off! Tell the user No Cookie, No Service, sorry. Unless, of course, you feel like taking the heat for the outcome that is.

Jim