1

I'v seen this asked dozens of times and none of the answers works.

I have session data ($_SESSION['name'] for example) that even after user closes browser windows and opens new browser it continues accessible. This is happening in chrome and FF and not in IE.

I need a way to generate random data for user when he access my site and keep that data while he has his browser windows open (even if he his on other sites, yes). But if he closes and open a new browser window then I want to generate the random data again.

nickhar
  • 19,981
  • 12
  • 60
  • 73
tcardoso
  • 668
  • 3
  • 8
  • 20
  • I think most browsers only throw away session cookies when all windows are closed, not just the one to your site :) – Ja͢ck Nov 26 '12 at 03:28
  • This may be related to `$_SESSION` lifetime and the cookies used in the browser - see here: http://stackoverflow.com/questions/156712/php-what-is-the-default-lifetime-of-a-session. – nickhar Nov 26 '12 at 03:32
  • @Jack I talking about closing all browser windows, off course :) Also I tried many workarounds like onbeforeunload, but that will be catch by tab closing, and several php.ini configurations. – tcardoso Nov 26 '12 at 10:04
  • But `onbeforeunload` will also be triggered when someone is going to another site within the same window, so I don't feel that's the right approach either ;-) – Ja͢ck Nov 26 '12 at 10:06

3 Answers3

1

Session cookies are kept in temporary memory which only gets erased when the browser closes, which is different from persistent cookies that get removed based on their configured lifetime.

Even though a user leaves your site by closing a window, it doesn't mean the browser itself closes and therefore the "session" cookies may be kept alive at the browser's discretion. For one, Firefox has had some interesting behaviour in that arena.

Perhaps in the early days of one page per browser session, closing the window usually meant closing the whole browser and therefore this problem may have not been so common as it is now.

The bottom line is that the behaviour of session cookies based on opening and closing browser windows is simply not reliable and you should find other ways to accomplish what you need. Setting an explicit lifetime might actually work for you.

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
  • I used session.cookie_lifetime=0 and I closed all browser windows in chrome and firefox. So unless those browsers keep some process running in the background that its messing with this conf, it should be working. – tcardoso Nov 26 '12 at 10:10
  • I'll probably just set session.gc_maxlifetime to 600 (10 minutes). – tcardoso Nov 26 '12 at 10:15
  • @tcardoso Right, `cookie_lifetime` should be `0` by default and would be the most sensible to use here ... in theory :) – Ja͢ck Nov 26 '12 at 10:15
  • @tcardoso Setting the `gc_maxlifetime` isn't completely reliable either, because it depends on the probability of the GC process being fired at any one request; having said that, if you're thinking about that, you might as well set the cookie life time to `600` as well so that the browser stops sending cookies after 10 minutes :) – Ja͢ck Nov 26 '12 at 10:17
1

You need to remove session cookies after browser is closed. This is accomplished with a session.cookie-lifetime setting:

session.cookie_lifetime integer session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed."

You can either add session.cookie_lifetime = 0 in the php.ini, or manually set it for each request with session_set_cookie_params

session_set_cookie_params(0); // Call before session_start
session_start();
galymzhan
  • 5,505
  • 2
  • 29
  • 45
  • The `session.cookie_lifetime` setting is already `0` by default; besides, it doesn't solve the problem. – Ja͢ck Nov 26 '12 at 03:53
  • @Jack Why it doesn't solve? Isn't it the cookie which connects browser and server-side session data? – galymzhan Nov 26 '12 at 03:54
  • The problem is that even with a zero lifetime the browser keeps sending the cookie, even if the window was closed. – Ja͢ck Nov 26 '12 at 04:01
  • @Jack Actually, I tested it out (PHP 5.3 on Linux, Firefox 17) and setting it to 0 does solve the problem. Session cookies get destroyed when browser window is closed, and if they don't, then it might be browser specific thing – galymzhan Nov 26 '12 at 04:02
  • Setting it to 0? Was it something else before? – Ja͢ck Nov 26 '12 at 04:04
  • @Jack I don't know which value does OP use by default, but mine is 3600. – galymzhan Nov 26 '12 at 04:05
  • @galymzhan I have tried that before posting question and its only working on IE (on windows 7). – tcardoso Nov 26 '12 at 10:13
0

$_SESSION by default always end when your browser is closed but if you to still want to used the previous session you used

You can use session_set_cookie_parameters() giving the session cookie a non-zero lifetime before starting the session, or set session.cookie_lifetime to non-zero.

Jhonathan H.
  • 2,734
  • 1
  • 19
  • 28
  • "$_SESSION by default always end when your browser is closed but if you to still want to used the previous session you used" - Not anymore it seems. – tcardoso Nov 26 '12 at 10:12