Php Sessions Not Destroying On Browser Close

[Sarah]

Hello all-

 

I am having problems with this, and I just can't find the answer I'm looking for. So I'll ask it to the Total Choice Family.

 

I wrote a program in PHP, where users log in/log out. I start a session when they log in and when they hit the 'logout' button, it destroys the session.

 

My problem is that if the user closes the browser window without choosing 'logout', the session is still active! I know this because I've tested it a few times, with closing the window and trying to open up a page again and its still showing my session variables.

 

I know to check for a valid login on every page, but that's not the point. I need to make sure that the session will destroy itself on close of the browser.

 

Can this be accomplished by using PHP and JavaScript?

 

Please help. Thanks.

 

Sarah

[TCH-Rob]

I havent seen an onclose function for the session though others may have. Are you using cookies for this? You may check here http://ca3.php.net/manual/en/function.session-set-cookie-params.php and see if this may help.

[Sarah]

I'm not using any cookies, as far as I know. All that I am using are session variables to store login data, and data about the user I retrieve from the database.

 

I've checked out that link you gave me, but I'm not really sure how to use those config settings with this situation.

[borfast]

Sarah, by default, PHP stores session information in a browser cookie. If that isn't available *and* PHP is configured for this, it will then try to use a variable from the URL. When you see an URL such as http://******/index.php?PHPSESSID=a22e6a8c5dcbb91fe6384d21cead7990, it means PHP wasn't able to store the session information in a cookie and used the PHPSESSID variable in the URL instead.

 

Now about your problem: if you don't have such a variable in the URL, it means PHP is using cookies to track your sessions. By default, that cookie should be deleted when you close the browser but for some reason, it's not getting deleted (perhaps PHP is configured differently on your server? or perhaps you changed the session.cookie_lifetime configuration directive?).

 

You can try add this to your code:

 

session_set_cookie_params(0);

 

If something changed the default cookie lifetime, that will put it back to the default (cookie getting deleted when you close the browser).

 

Other than that, I can't figure out any other way of getting the session to terminate - assuming you're using session_destroy() correctly (not much to get wrong, anyway).

[Sarah]

The session ID is not being passed through the URL, so it is storing it in a cookie, apparently.

 

I checked my phpinfo file, and it said that

session.cookie_lifetime = 0, and session.cache_expire = 180.

These were the defaults for the server also. I've never changed anything in the php.ini file.

[DarqFlare]

You must close out all INSTANCES of a browser to be rid of sessions.

 

Say you open up IE, then spawn a new window from it in some form or other (CTRL-N, a link, etc). Now say you visit another website in one window, and the sessioned website in the other. You close the sessioned website.

 

Your session is still active because of the other window. Close all spawned instances of the browser, and the session dies.

[borfast]

Sarah, there must be something wrong with your code, then

 

If you paste the relevant parts here (remember to strip out usernames, passwords and other sensitive information), perhaps we can figure out what the problemis - sometimes one can miss the obvious (because of being tired, bored of coding the darn thing and not being able to get rid of that error message, etc...) but ask someone else to look at the code and that person will tell you right away where the problem is

 

Edit: Robert may also be right, have you closed all browser instances?

Edited April 23, 2004 by TCH-Raul

[Sarah]

Well, there's alot of code to post... too much for here.... I don't know what I would have coded wrong anyways... I just create a session and destroy it on the logout screen. I just want to make sure it's closed if the user closes all instances of the browser.

 

I will check on that again, checking the instances.

[Sarah]

Well I just checked the instance problem. Apparently, I wasn't closing out of all browser instances. It works now.

 

I guess there's not a way to just do it with the one window (which isn't too much of a problem I guess). Do I need to change any PHP config settings for the timeout anyways? What's the default timeout for a logout?

[DarqFlare]

Dunno how to set the session timeout... If I knew, I'd shorten it for most of my projects.

[TCH-Rob]

You can accomplish this without a php.ini setting by using the function:

 

session_set_cookie_params(int lifetime [, string path [, string domain]])

 

How about editing .htaccess:

 

php_value session.gc_maxlifetime 72000

php_value session.cookie_lifetime 72000

 

 

You can find info on customized timeout sessions at

http://www.phpfreaks.com/tutorials/77/6.php

 

I have not tested these myself but it is something to look at. I can not verify they will work but it is a start.

[Sarah]

I don't know much about .htaccess anyways. I guess i'll just leave well enough alone. I made a different timeout script that logs people out when they are inactive, so it will bypass alot of nonsense. Thanks for the help.