I’m slowly coming to the understanding that Sessions do not last, as is so often defined, “until the user exits” or “until the user closes his browser”. Sessions appear to last until the developer closes them. Correct?
I am seeing the user start a browser and find himself already signed in! So how best to end the session? I’m aware of the commands to do it. But the examples are usually dependent on the user initiating some action that results, because of my coding, in ending the session. What if the user doesn’t “logout” by some feature I provide? Maybe just switches to a completely different website, or maybe just closes his browser. How do we end his session. I don’t want him to be logged in when he returns. It seems this creates a security issue, as whoever is next on the machine is in the previous users session.
Well, that’s Great news. I would rather the session end automatically.
But, I am seeing the login still active. I’m checking the $_Session[‘myvar’] and seeing it set when the user first enters. Is there some setting I have wrong that would save that as a cookie? I think I just have the defaults.
I’m running on a single pc, Windows XP Pro, php 5.2, Apache.
I’m not setting any cookies intentionally. Where to look?
By default, session mechanism uses “session cookie”, which means “until the user closes his browser”. If you change session cookie lifetime from 0, this behavior changed too.
OK guys, here’s the actual answer to my original post.
The user can now screw up your sessions!
I’ve been able to trace the behavior to the Firefox browser, and have submitted a bug at bugzilla.mozilla.org, the Firefox bug application. There are some related bugs there that have been reported for a few months and debated.
Here’s what happens. I had my Firefox browser set with an option to “Show my Windows from the last time” when Firefox opens. This is an alternative to showing a home page. Sounds pretty innoculous. It’s actually pretty handy during development and can open multiple pages, although only one page is required to cause the problem. Any user can check that option and I suppose many do. In the documentation Firefox calls this feature “Session Restore”, although that term is not included on the user interface, and the first time I saw it was researching the documentation.
The second Firefox feature that is required is more of a hidden feature because there is no easy user interface to it, although there is a link to edit the configuration file. Firefox calls it Crash Recovery. It is enabled by default, as I said with no user interface to change it. Thanks to Crash Recovery, Firefox reopens with the same Session ID!
That’s the behavior I was seeing. Despite it’s name, it does not require a crash. I was closing Firefox normally and reopening in the same session. If you deselect the original option to open previous windows, the problem goes away. Again, that option says nothing to the user about sessions, although they consider it Session Restore.
Almost more troubling than this mis-guided feature are the discussions on various bugs at bugzilla where people express that they like to keep their shopping carts open for hours or days. I’m not sure that’s what the vendors or developers had in mind.
There may be a timeout mechanism, but I’ve seen references to days in those discussions.
Yes, in that case i guess there can be a table of active sessions. On every page there should be a code to update the last time that session was active.
Now, there can be a cron script, that will check all the sessions that has the last active time older then 30 minutes, and the cron will kill those sessions.