-1

I have a PHP site with a login. Once the person is logged in (using standard file based sessions), the person can click a log out page that will log him out.

Problem is - visitors generally don't do that. They simply close the web browser.

However, the next person can come along, open the browser, and be right in the first person's login area.

Seems like this would be a giant security hole :) in shared user environments (offices, internet cafes, etc)

I need to know how to 'log out' the person by closing the window. I know that the 

 'session.cookie_lifetime'

variable is set to 0.

There has to be some solution. Any help would be greatly appreciated.

Padraig
  • 3,197
  • 4
  • 18
  • 26

1 Answers1

0

PHP cannot know (in isolation) when the client closes, because that is a client event, not a server event. However you can use JS on the client to AJAX back to the server to let it know the session is closed, using the window.unload event ( link ).

You might also like to check out this answer which explains a potential hole in session cleanup (not sure if that still applies to more recent PHP versions) and also session.gc_maxlifetime, which you may also need to tweak.

Community
  • 1
  • 1
Skrivener
  • 1,003
  • 6
  • 11
  • I discovered that it works fine on IE 8 and Safari. It's only on Chrome and Firefox that it doesn't work. These browsers are somehow reusing session cookies after browser close. I even turned off 'on startup continue from where I left off'. So it's not a PHP problem. – Padraig Nov 14 '13 at 17:48