PHP - Session destroy after closing browser

Question

Though this question has multiple duplicates i could not find proper solution for me. Need Some help.

I have used ini_set('session.cookie_lifetime', 0); in my configuration file.

But it is not helping me to destroy session on browser close.

Application current flow:

1) In authentication page if user is valid, generate new session identifier using session_regenerate_id(true);

2) Control goes to welcome.php where i start new session using session_start();

3) in logout page code is

      $_SESSION = array();
      if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
      );
     }
    // Finally, destroy the session.
    session_destroy();

Please elaborate more. What actually do you mean by "destroy session"? — zerkms, Jun 25 '14 at 06:55
i want to close existing session if user close browser. If user reopen browser i want to send him login page again. — Shri, Jun 25 '14 at 06:57
I don't think there is a good way to do this, you can however delete the session on start up. — kpp, Jun 25 '14 at 06:58
A browser closing is never the best way to destroy a cookie session because the webserver never knows when the browser is closed. The browser doesn't send any notification that it is closing to the server so the server can't send the commamd to delete the cookie because the browser has closed. — Kinnectus, Jun 25 '14 at 06:58
@Big Chris Exactly. But is there any way to handle this situation? — Shri, Jun 25 '14 at 07:01
@Shri How are you currently checking if the session valid? Can you post the code you have? — mishka, Jun 25 '14 at 07:04
just let the users log-in every time they visit your startpage. — low_rents, Jun 25 '14 at 07:05
@Manju Currently i am using session id to check valid session along with some values i have store in session — Shri, Jun 25 '14 at 07:09
@Shri 1. It is better if you share session checking code from login and logout pages 2. How are you testing it to make sure it works? — mishka, Jun 25 '14 at 07:29
if you want that the user must be logged in after closing the browser, visit : http://stackoverflow.com/a/31422784/4380588 — Faiyaz Alam, Oct 22 '15 at 17:21

score 9 · Answer 1 · answered Jun 25 '14 at 07:05

9

This might help you,

session_set_cookie_params(0);
session_start();

Your session cookie will be destroyed... so your session will be good until the browser is open. please view http://www.php.net//manual/en/function.session-set-cookie-params.php this may help you.

answered Jun 25 '14 at 07:05

Adil Abbasi

3,161
1
40
35

this should be the top answer – Simon Ndunda Oct 25 '19 at 21:52

score 9 · Answer 2 · answered Jun 25 '14 at 07:37

9

Use a keep alive.

On login:

session_start();
$_SESSION['last_action'] = time();

An ajax call every few (eg 20) seconds:

windows.setInterval(keepAliveCall, 20000);

Server side keepalive.php:

session_start();
$_SESSION['last_action'] = time();

On every other action:

session_start();
if ($_SESSION['last_action'] < time() - 30 /* be a little tolerant here */) {
  // destroy the session and quit
}

answered Jun 25 '14 at 07:37

colburton

4,685
2
26
39

This is a solution for the small man. why? because if you change the session it needs to be rewritten at the end of the script. If you have a big website, that is a lot of I/O just to auto logoff users. – Benjamin Eckstein Oct 04 '17 at 13:08
1

@Umigo: You do not need to use files as session storage. PHP provides for example Memcache as alternative. – colburton Oct 06 '17 at 05:41
The best and the most simple answer on how to check if a user is online or offline (y) – Syno Dec 06 '17 at 09:57
@colburton Even when using Memcache; it's still I/O and, with enough users, will cause problems nonetheless. Also it, potentially, causes a lot more requests that _also_ need to be handled by the webserver(s) which _also_ costs resources (however small you may be able to get them, it won't be zero). I'd rather reevaluate why one would want to destroy sessions in such a hurry than harm the possibility to scale or cause 'unnecessary' load on machines. – RobIII May 23 '18 at 08:48

score 8 · Accepted Answer · edited May 23 '17 at 11:33

8

The best way is to close the session is: if there is no response for that session after particular interval of time. then close. Please see this post and I hope it will resolve the issue. "How to change the session timeout in PHP?"

edited May 23 '17 at 11:33

Community

1
1

answered Jun 25 '14 at 07:32

Ankit

142
3

score 5 · Answer 4 · answered Jun 25 '14 at 07:09

There are different ways to do this, but the server can't detect when de browser gets closed so destroying it then is hard.

timeout session.

Either create a new session with the current time or add a time variable to the current session. and then check it when you start up or perform an action to see if the session has to be removed.

session_start();
$_SESSION["timeout"] = time();
//if 100 seconds have passed since creating session delete it.
if(time() - $_SESSION["timeout"] > 100){ 
    unset($_SESSION["timeout"];
}

ajax

Make javascript perform an ajax call that will delete the session, with onbeforeunload() a javascript function that calls a final action when the user leaves the page. For some reason this doesnt always work though.

delete it on startup.

If you always want the user to see the login page on startup after the page has been closed you can just delete the session on startup.

<? php
session_start();
unset($_SESSION["session"]);

and there probably are some more.

score 3 · Answer 5 · answered Aug 02 '16 at 20:26

There's one more "hack" by using HTTP Referer (we asume that browser window was closed current referer's domain name and curent page's domain name do not match):

session_start();
$_SESSION['somevariable'] = 'somevalue';

if(parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST) != $_SERVER["SERVER_NAME"]){
    session_destroy();
}

This also has some drawbacks, but it helped me few times.

score 2 · Answer 6 · answered Jun 25 '14 at 07:37

2

You can do it using JavaScript by triggering an ajax request to server to destroy the session on onbeforeunload event fired when we closes the browse tab or window or browser.

answered Jun 25 '14 at 07:37

itzmukeshy7

2,669
1
21
29

score 0 · Answer 7 · answered Jun 25 '14 at 07:26

0

Use the following code to destroy the session:

 <?php
    session_start();
    unset($_SESSION['sessionvariable']);
    header("Location:index.php");
    ?>

answered Jun 25 '14 at 07:26

user3774008

45
2
11

This is fine if user clicks Logout. I think Shri is wanting to make sure session gets destroyed whenever user closes the browser. – mishka Jun 25 '14 at 07:28
session automatically gets destroyed on closing the browser – user3774008 Jun 25 '14 at 07:33
1

Read the question first – Damith Ruwan Jun 27 '17 at 09:33

score 0 · Answer 8 · answered Jun 26 '19 at 17:11

0

If you want to change the session id on each log in, make sure to use session_regenerate_id(true) during the log in process.

<?php
session_start();
session_regenerate_id(true);
?>

answered Jun 26 '19 at 17:11

Braike dp

206
1
3
8

score 0 · Answer 9 · answered Dec 10 '22 at 16:44

If you close your browser your session is lost.

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser.

session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up.

ini_set('session.cookie_lifetime', 176400);  // for 48 hours
ini_set('session.gc_maxlifetime', 176400);  // for 48 hours
session_start();

score -2 · Answer 10 · answered May 22 '15 at 13:21

-2

If you are confused what to do, just refer to the manual of session_destroy() function:

http://php.net/manual/en/function.session-destroy.php

There you can find some more features of session_destroy().

answered May 22 '15 at 13:21

Mr.Unknown

171
1
2
11

PHP - Session destroy after closing browser

10 Answers10

Linked