4

Problem scenario

If a user A logs into the application then the user id set in session. After doing some tasks user A closes his browser and leaves the computer. Short time later, user B came and open browser and see the application was in logged in state. User B can also open an internal url, which directly redirects him into the application without any authentication by using the previous session.

My Configuration

$config['sess_cookie_name'] = 'cisession';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie']  = FALSE;
$config['sess_use_database']    = FALSE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update']  = 300;
manniL
  • 7,157
  • 7
  • 46
  • 72
Arslan
  • 121
  • 1
  • 1
  • 6
  • What version of CI do you have? – mallix Jan 16 '13 at 13:44
  • What browser are you testing in? certain browsers may not respect the `expire_on_close` – RockyFord Jan 16 '13 at 13:46
  • Define a little while later, you have your session expiration set to 2 hours. nvm, just noticed the expire on close. – Rick Calder Jan 16 '13 at 13:47
  • I remember CI perform his session in cookie – pktangyue Jan 16 '13 at 14:07
  • this may be helpful http://stackoverflow.com/questions/6705487/how-codeigniter-keeps-session-data-even-when-browser-closes http://stackoverflow.com/questions/11132152/codeigniter-db-session-problems-sess-expire-on-close – Shibbir Ahmed Jan 16 '13 at 14:18
  • Rick: Yes session expiration is set to 7200 by default but when i set it sess_expire_on_close as TRUE, then it should expire on closing the browser? Do codeignitor save its sessions in files or in cookies? – Arslan Jan 16 '13 at 14:48
  • Is there something to change with these settings ? '$config['cookie_prefix'] = ""; $config['cookie_domain'] = ""; $config['cookie_path'] = "/"; $config['cookie_secure'] = FALSE;' – Arslan Jan 16 '13 at 14:50
  • Please put your Login page code, I think there might be a problem there. – Hossein J Jan 16 '13 at 16:09
  • This question seems like an exact duplicate of [this one](https://stackoverflow.com/questions/13174297/how-to-destroy-session-with-browser-closing-in-codeigniter). – akinuri Aug 29 '19 at 16:26

4 Answers4

4

You can override or Set a Config Item dynamically. If you simply look at $config['sess_expire_on_close'] = TRUE; Whether to make the session to expire automatically when the browser window is closed.

Set it to true if user did not check the remember me checkbox. And the session will expire after user close the browser.

And if he checks the remember me checkbox, set $config['sess_expire_on_close'] to FALSE like

if($this->input->post('remember')) $this->config->set_item('sess_expire_on_close', '0'); //'remember' is checkbox name.

now session will not expire after browser is closed. note: this solution is also tested on Opera, Mozilla, Chrome and ie9

arslaan ejaz
  • 1,001
  • 13
  • 31
  • remember, load session library after setting 'sess_expire_on_close'. – arslaan ejaz Jan 18 '13 at 14:22
  • Does this solution lead to cross-browser request forgeries? For example, I logged in via Chrome, but when I open up Firefox and go to my account page, I find I am already logged in. I'm thinking this could be possible if sessions were being stored in database via `sess_use_database`. Would this be a possible scenario? – Hamman Samuel Jan 26 '14 at 14:12
  • @Hamman i don't think it will work for cross-browser, you have to use sess_use_database for that purpose. – arslaan ejaz Jan 26 '14 at 14:51
0

Why don't you use the CI session function to do that

http://www.codeigniter.com/userguide2/libraries/sessions.html

Shibbir Ahmed
  • 1,350
  • 13
  • 19
  • Freelancing_Best_Choice, I dont want to save session in database. Kindly help me to save and expire this session without database. Currently i am using codeignitor default sessions. – Arslan Jan 16 '13 at 14:45
0

Try this, may be it help you

/  **
  * Escape String
  *
  * @param string
  * @param bool whether or not the string will be used in a LIKE condition
  * @return string
  */
 public function escape_str($str, $like = FALSE)
 {
  if (is_array($str))
  {
   foreach ($str as $key => $val)
      {
    $str[$key] = $this->escape_str($val, $like);
      }

      return $str;
     }

  $str = is_resource($this->conn_id) ? mysql_real_escape_string($str, $this->conn_id) : addslashes($str);

  // escape LIKE condition wildcards
  if ($like === TRUE)
  {
   return str_replace(array($this->_like_escape_chr, '%', '_'),
      array($this->_like_escape_chr.$this->_like_escape_chr, $this->_like_escape_chr.'%', $this->_like_escape_chr.'_'),
      $str);
  }

  return $str;
 }

 // --------------------------------------------------------------------
Arslan
  • 169
  • 2
  • 2
  • 8
0

Set in application/config/config.php:

$config['sess_expiration'] = 0;
$config['sess_expire_on_close'] = TRUE;

This should be OK.

jp61
  • 9
  • 2