Hi I'm trying to clear all the session variables when the user closes the tab,
I have tried the following
session_set_cookie_params(0);
session_start();
but it clears the session only when the user closer the entire browser,
I have tried searching frome some links but I have found that not working.
Browsers only destroy session cookies when the entire browser process is exited. There is no reliable method to determine if/when a user has closed a tab. There is an onbeforeunload handler you can attach to, and hopefully manage to make an ajax call to the server to say the tab's closing, but it's not reliable.
And what if the user has two or more tables open on your site? If they close one tab, the other one would effectively be logged out, even though the user fully intended to keep on using your site.
by : Marc b
Related
I'm reading "PHP and MySQL novice to ninja" book and it says:
In fact, it would be very secure to change the
user’s session ID on every page load.
However, doing so causes several practical problems. If someone has different
pages open in different tabs, or the website uses a technology called Ajax, they
effectively get logged out of one tab when they open another!
I can't understand what is going on behind the scenes and why the user gets logged out of previous tab when opens another tab. By generating a new session ID, a new cookie containing the new session ID will be sent to the browser.
So when i open another tab, the session ID will change and a new cookie will be sent to the browser.
Why don't the browser use the new cookie to continue being logged in and what exactly happen that the pages get logged out?
Opening a new tab doesn't start a new session if the same site is already open in the same browser. The browser tries to use the existing session. You can observe this behaviour yourself, on this very website even - if you open a new tab (as well as the one where you're reading this) and go to StackOverflow you are not asked to log in again.
But if every request were to generate a new session then it would invalidate the shared session across all already-open open tabs from that site, because they would be relying on the old cookie in the background.
I have a real estate component installed. It has the option of adding properties to favorites and creates a list, but when I close and open the browser, regardless of how long it has closed, it deletes the list.
Talking to the developer he told me that it is because of the sessions that are deleted. And he could not help me. On his demo site, when he closes and opens again, he does not delete the list of favorites.
Does anyone know how to help me, how to do for joomla does not delete the session when closing the browser?
Thank you!
Browsers do close sessions if you close them. That's simply because the server identifies the user by a cookie. Session cookies are usually set to live just for the time the browser is open. If you close and reopen a browser those session cookies are gone.
But some browsers do only pretend that you close them. Chrome is a good example. So if I close a Chrome window and reopen another one the session continues. Only if I really kill the whole browser I lose my session.
The solution for your issue is to use time based cookies instead. PHP can do this for you. You can do this with PHP code or by configuration.
http://php.net/manual/en/function.session-set-cookie-params.php
http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
It seems a small and easy to solve problem, but I cant find any solution for it.
I want to login the users only for that session while the are browsing the site. As soon as they close the tab I want to make their session expired. As much as I know I can't do this in the built-in Auth class.
How could I do this efficiently?
Short answer: YOU CAN'T
The session can be destroyed when the entire browser is closed by simply setting expire_on_close in config/session.php (also make sure you clear the cookies in your browser for this to work):
'expire_on_close' => true,
But there is no way to detect when only a tab is closed in the browser. The closest thing you would have is the JavasSript method onbeforeunload that triggers when you close a tab. But it also triggers when you navigate away from a page or hit the back button, and there's no way to differentiate between those actions.
You could set a very short session time on the server, and "ping" the server from any open page, to let it know to keep the session still in use, which would mean it would very quickly expire when the tabs that have the app open are closed, but that's an extremely ugly solution.
Since PHP is server side code, it only knows the last time/page that was accessed.
See: Destroy PHP session on page leaving
I am using cakephp 2 and recently changed my session handler to database.
Everything seems to be working fine, except when a user leaves the website without logging out the session is left active.
In my core.php file I have configured database session handler as follows:
Configure::write('Session', array(
'defaults' => 'database'
));
How do I configure cakephp database sessions to destroy the session when a user leaves the site without logging out?
TIA!
You can't. PHP runs on-demand and can't possibly know when a user stops browsing the site. You basically have 2 options:
Write a script to check your session store to find sessions that haven't been accessed in X seconds, and clear them out. Call this script with a cron job.
Check the session when the user comes back, and clear out any stale data. You'll still need to do some cleanup from time to time to get rid of session data from users that never come back.
Sessions are stored on the server, so if the browser is closed or the user goes to a different page, there is no obligation that it informs the server about this action.
Session are stored for a certain time in the server, and after some time of inactivity, it will be destroyed there automatically.
Check Sessions info in CakePHP cookbook for more details
There is a possible solution that will work in some cases but probably isn't a great solution:
<body onUnload="ajaxFunctionToDeleteSession();">
some random stuff goes here
</body>
So ajaxFunctionToDeleteSession would call via Ajax a url that would delete the session.
A few problems with this that I see:
Called anytime someone closes an open page of your site. Which means if someone opens up multiple windows of your site closes one, their entire session, including for the other open tabs is closed
There are probably cases in which someone goes to your site, does something accidentally closes the open window, reopens the site and things will look different because the session is gone.
But if you absolutely must delete a session when someone leaves the site, this may give a way to start approaching the problem.
I would like to store the login, logout and duration time in database.
The login time is created when the user is authenticated(successfully logged in)
The logout time is created when the user clicks the logout button
The duration is logout - login time. (logout minus login)
But the problem is, what if the user didnt click the logout button. Here are the situations:
Internet loss
Close the browser/tab. (I need this must use javascript, but i donnu how to do it, any idea?)
EDIT:
I forgot to add something to the question, the program is a full flash program, there is no navigation to other page. Only 1 page
It's important to remember that all session/log-in functions in PHP are usually cookie based. So, changing the lifetime of the session cookie should solve your problem:
http://us3.php.net/manual/en/function.session-set-cookie-params.php
Also, you can set the PHP sessions so they only use cookies:
http://us2.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies
Again, you can catch the browser window / tab close but ... why? For instance I may have your site open in multiple tabs. If I close one of those tabs should I automatically be logged out of your website? That's a very bad design. Instead, set the session lifetime so it expires if the browser is closed and not just a tab. (Note also that window.unload will logout when any window on your site that closes - including a pop-up or an iframe. Do you really want that?)
http://us2.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime
If you want to store session state in a database try any one of these guides. Or, roll your own with session_set_save_handler
You can't rely on receiving an event for the user logging out, if they simply close their browser, or disappear from the internet.
In this case you'll have to have a session timeout of some kind, and record the logout when your app realises their session is too old.
If this is a real requirement, then I'd say you need a "cron" job monitoring the sessions for timeout. When a session has timed out, if the were logged on, it then records a "logout" event for that user.
Note that you can't use (for example) ASPNET's Session_End event, because that won't be reliably called either (for example if the server process restarts).
Another option is to add the logout time next time that user logs on - when they log on, you check for old sessions and assume that any which weren't closed lasted for a fixed amount of time since the last page hit.
That's really all you can do.
Regarding the closing of browser/tab, you can bind the unload event (window.onunload, jQuery's $(window).unload(fn), or any other) to notify your server. A more general purpose solution would be to periodically ping your server (say, every 5 min), but it might be annoying to the user, so do so judiciously.