3

How would I automatically log the user our, if he/she has closed the tab(the tab where he/she has the account logged in). I know that it maybe possible with cookies, but how would we achieve this via Sessions ?

  • 1
    Use javascript to call a logout script on close – Anigel Aug 01 '13 at 14:36
  • 1
    lower the session timeout value – DevZer0 Aug 01 '13 at 14:36
  • Does it have to be on tab close or could it just time out quickly after no page requests from that user? – MDEV Aug 01 '13 at 14:36
  • @Anigel No... do not do that. That will fail a majority of the time... – Naftali Aug 01 '13 at 14:37
  • Cookies yes, but sessions in tabs, hmmm not entirely sure. The browser needs to be "closed" in order for sessions to `die`, as it were. Sessions would need to use a timestamp as its variable, I would "guess". – Funk Forty Niner Aug 01 '13 at 14:37
  • See http://stackoverflow.com/questions/12158190/fire-a-function-on-window-close - in other words use ` window.onbeforeunload`. JavaScript function would send call to server PHP page, which would destroy the session immediately. You'd need to back it up with a session timeout too, in case JavaScript is disabled. – fred2 Aug 01 '13 at 14:37
  • @SmokeyPHP - Both would work.Either a tab close or a particular time period (within which the user doesn't accesses the page). –  Aug 01 '13 at 14:39
  • @fred2 Fred 2? "New kid in town" lol! Now, what if the user has JS disabled, got an answer for that one? A: Server-side MUST be used, at all times. EDIT: I see you took care of that, good (wink) – Funk Forty Niner Aug 01 '13 at 14:39
  • @Fred ... I've edited to clarify that you still need a session timeout. The user wants instant logout though, not just a low timeout period. As with all JavaScript, you naturally need fallbacks. – fred2 Aug 01 '13 at 14:41
  • @Leander Whatever method you choose to use, do **NOT** use one that is Javascript-based or contains JS. JS can be disabled. *Food for thought*. – Funk Forty Niner Aug 01 '13 at 14:42
  • @Leander I'm not sure exactly it might work but you may be able to set a short timeout on the session, which is then refreshed on page load, therefore once they've left the site for long enough, their session times out. You can go for the JavaScript version (window.onbeforeunload()) for instant logout, but make sure the server-side timeout is still used – MDEV Aug 01 '13 at 14:42
  • @fred2 Yes I saw that, see "my" editted comment (wink) – Funk Forty Niner Aug 01 '13 at 14:42
  • **2 FREDS** in one thread, could be confusing! lol Hey, I'm a poet and didn't even know it. – Funk Forty Niner Aug 01 '13 at 14:43
  • @SmokeyPHP **"Monty Python"** ;-) – Funk Forty Niner Aug 01 '13 at 14:45
  • @Fred :D Monty Python FTW (3 attempts to `@` the right Fred... FML) – MDEV Aug 01 '13 at 14:48
  • @SmokeyPHP Yeah, that's why I mentioned that, having "2 FREDs" in one thread, could be confusing. – Funk Forty Niner Aug 01 '13 at 14:50
  • Guys, why is no one seeing this. You can use window onunload. If the site is open two tabs / windows open a the same time, closing one would cause the other to invalidate. Imagine reading your email in a separate window and having to log in every time you want to read a new one... Even clicking on links would cause session to end unless he checks for the domain in every . – ZorleQ Aug 01 '13 at 15:13
  • @ZorleQ True, yet it seems like it (window onunload) is not currently supported by Google Chrome and Opera (that may have changed since). Plus, what if the user has JS disabled? If JS is disabled, I would use a ` – Funk Forty Niner Aug 01 '13 at 15:54

2 Answers2

8

You cannot guarantee that a user will be logged out when the window closes because you are relying on the page closing gracefully. If a browser hard crashes Javascript will not be able to execute.

I would suggest implementing Javascript code to AJAX a call to a logout page on window unload which will work the majority of the time.

For the other cases, you should lower the session timeout limit.

thatidiotguy
  • 8,701
  • 13
  • 60
  • 105
5

Depends on how strict you want to be.

If you need an 'instant' log out, then the easiest way would be to use AJAX to ping your server every lets say 30s - 1 minute to keep the session alive. This will cause a lot of overhead and increase load on your server, but is the only sure way to instantly lo someone out.

The same principle would work for longer periods. Let's say 30 minutes. You can either do what was said in this topic and log someone out after 30 minutes, or use AJAX again to ping the server every 10 - 15 minutes and keep the session alive while user is on the page.

There is probably not much more to it.

Just like @thatidiotguy said, you can implement the window unload event to handle user exits, but you have to be very careful - what if user has 2 browser windows open? You don't wan't to log him out if he's viewing 2 pages at the same time.

Community
  • 1
  • 1
ZorleQ
  • 1,417
  • 13
  • 23
  • 1
    Good point about the 2 windows open. You could add a bit of code that stores the number of tabs open on a session and then only log out when the last one is closed. – Lightbulb1 Sep 10 '13 at 14:38
  • How would you implement this? It sounds great, but I'm not sure how to do that. Could you kill the session each time a browser navigates to index.php? I tried to do this, but then index page won't load. – DavidG Jan 27 '18 at 21:45